CT Subdomain Enumerator
Last updated:
Queries Certificate Transparency logs via crt.sh to discover every SSL certificate ever issued for the current domain. Extracts all subdomains including internal names (staging, vpn, jenkins, admin), wildcards, expired certs, and historical entries. Free alternative to SecurityTrails and Sublist3r.
Drag to your bookmarks bar:
📡 Enumerate SubdomainsRuns on any website — all processing in your browser.
Install the bookmarklet, then use it on any website
CT Subdomain Enumerator
Certificate Transparency (CT) is a public framework that logs every SSL/TLS certificate issued by trusted CAs. By querying these logs, you can discover every subdomain that has ever had a certificate issued — including internal, staging, and development subdomains that organizations never intended to be public.
Intelligence Value
Subdomains like staging.example.com, vpn.example.com, and jenkins.example.com reveal internal infrastructure, technology choices, and attack surface that simple DNS enumeration misses.
- crt.sh
- A free Certificate Transparency search engine maintained by Sectigo. It indexes all major CT logs and provides a JSON API.
📡 CT Subdomain Enumerator — FAQ
What is Certificate Transparency?
A public audit framework where CAs must log every certificate they issue. This means every subdomain with an SSL cert is publicly discoverable.
Can organizations opt out of CT logs?
No — CT logging is mandatory for publicly trusted certificates. Private CAs issuing internal-only certs may not log to public CT.
How current is the data?
crt.sh indexes CT logs in near-real-time. New certificates appear within minutes to hours of issuance.
Does this mean the subdomains are still active?
No — CT logs include historical and expired certificates. Many discovered subdomains may no longer resolve.
Is querying crt.sh rate limited?
crt.sh is free but can be slow under heavy load. Very large domains may time out — the tool handles this gracefully.