Discover subdomains from SSL/TLS certificates

Every TLS certificate ever issued is logged to public Certificate Transparency (CT) logs, and every certificate's SANs field lists the domains it covers. Searching CT for a target domain is the most reliable passive way to enumerate subdomains — including staging hosts, internal panels, and dev environments that DNS scanning misses entirely.

Why CT logs reveal subdomains

Step-by-step

1. Try it in the browser

Search any domain below — CT Radar returns every certificate ever issued for that domain or its subdomains.

2. Use the CLI for pipeable output

# install
$ go install github.com/imfht/ct-radar@latest
$ export CT_RADAR_KEY=<your-key>

# enumerate
$ ct-radar example.com
api.example.com
admin.example.com
internal.example.com
staging.example.com
dev-old.example.com
... 847 unique subdomains

3. Pipe into httpx to find what is alive

$ ct-radar example.com | httpx -silent
https://api.example.com [200]
https://staging.example.com [403]
https://admin.example.com [401]
... 124 live hosts

4. Combine with active enumeration

# CT (passive) + subfinder (passive DNS) + amass (active brute force)
$ {
    ct-radar example.com;
    subfinder -d example.com -silent;
    amass enum -passive -d example.com;
  } | sort -u | httpx -silent
... 1,247 live hosts

Tips and limits

• CT misses what was never certed. Internal hosts that only run HTTP, or that use a private CA, will not appear. Always combine CT with active DNS enumeration.
• Wildcard certs hide subdomains. A certificate for *.example.com covers everything but reveals nothing specific.
• Old certs are gold. Even expired certificates from 2018 might point to forgotten staging hosts that are still online.
• Filter wildcards in code. When piping into other tools, drop entries starting with *. — they break most probe tools.
• Let's Encrypt withdrew from CT in 2025, but every LE cert is still co-logged to other operators' logs, so LE-issued subdomains remain visible.