Certificate Transparency search
Free, fast search for unexpired certificates from CT logs, with grouped results for easier review.
Results will appear here after a search.
Search scope options
- DNS SAN (exact)
-
Matches only an identical DNS SAN value, including literal wildcards.
Search*.example.comMatches*.example.comDoes not matchwww.example.com*.example.com.au - DNS host coverage
-
Matches certificates that directly cover the host, including a wildcard for the parent domain.
Searchwww.example.comMatcheswww.example.com*.example.comDoes not matchsub.www.example.combadwww.example.comwww.example.com.au - DNS host and subdomains
-
Matches direct host coverage plus certificates issued for names below the host.
Searchwww.example.comMatcheswww.example.com*.example.comsub.www.example.comdeeper.sub.www.example.comDoes not matchbadwww.example.comwww.example.com.au
What is Certificate Transparency?
Certificate Transparency is a public logging system for publicly trusted TLS certificates. It makes certificate issuance visible, so domain owners, security researchers, and others can monitor which certificates have been issued by publicly trusted certificate authorities.
Related: we used Certificate Transparency data to analyze when TLS certificates are renewed and how often renewal happens after expiration.
When do new certificates appear?
Publicly trusted TLS server certificates are normally available in search within 10 minutes of being issued.
Are both pre-certificates and final certificates shown?
Certificate Transparency logs may contain a pre-certificate, the final certificate, or both for the same issued certificate. Search results show one result per real certificate. When both a pre-certificate and its corresponding final certificate are found, they are deduplicated into a single result.
Deduplication uses the combination of TBS-no-CT SHA-256 and
Issuer SPKI SHA-256.
TBS-no-CT SHA-256 identifies the certificate’s to-be-signed data after Certificate Transparency-specific fields have been
removed, allowing the pre-certificate and final certificate to match for deduplication.
What is CertObserver?
CertObserver is a certificate monitoring platform that helps teams track TLS certificates, Certificate Transparency activity, and renewal risk across the domains they operate.