Subdomain Finder

Every time an SSL/TLS certificate is issued for a domain or subdomain, it is logged in public Certificate Transparency (CT) logs — a requirement for all publicly trusted CAs since 2018. These logs are publicly searchable. By querying crt.sh (a CT log aggregator), we can find every subdomain that has ever had a certificate issued for it. This reveals the full historical scope of a domain's infrastructure, including subdomains that may no longer be in DNS but still exist on the server.

Legitimate uses: (1) Audit your own attack surface — find forgotten staging servers, old APIs, or shadow IT subdomains. (2) Security assessments during authorized penetration testing. (3) Competitive research — see what infrastructure a competitor has built. (4) Bug bounty reconnaissance — most programs explicitly allow CT log enumeration. (5) Verify SSL certificate issuance — confirm only authorized CAs are issuing certs for your domain. This tool only uses public CT log data — no active scanning or probing of your servers.

*.example.com (wildcard) certificates cover all first-level subdomains but don't reveal which specific subdomains exist — just that wildcards are in use. If you see *.example.com in the results, it means a wildcard cert was issued, but the actual live subdomains are not revealed by this method. Non-wildcard certificates enumerate specific subdomains. High numbers of specific subdomains plus wildcards often indicates a large, complex infrastructure.

Unexpected subdomains can indicate: (1) Forgotten staging or development environments — audit and decommission if unused. (2) Shadow IT — teams that deployed infrastructure without central IT knowledge. (3) Subdomain takeover risk — if a subdomain's DNS still points to a cloud service (Heroku, S3, GitHub Pages) that you no longer control, attackers can claim it. (4) Old certificate issuances for services you've migrated away from. For each unexpected subdomain: check if DNS still resolves it, verify you still control the server, and remove DNS records for decommissioned services.

Certificate Transparency logs are append-only and near real-time — new certificates typically appear within minutes. crt.sh aggregates logs from all major CT log servers (Google, Cloudflare, DigiCert, etc.). The "Last Seen" date reflects when the most recent certificate was logged, not whether the subdomain is currently active. A subdomain last seen in 2020 may no longer be in DNS or may have an expired certificate — CT logs record certificate issuance history, not current DNS state.