Investigator Use
crt.sh Certificate Search is a free online certificate transparency log search tool maintained by Sectigo that allows investigators to search all publicly logged SSL/TLS certificates by domain name, organization name, certificate serial number, or SHA-1 fingerprint. It provides comprehensive visibility into the complete certificate issuance history for any domain.
For OSINT investigators, crt.sh is an essential reconnaissance tool for domain and infrastructure analysis. Certificate transparency (CT) logs capture every publicly trusted SSL/TLS certificate ever issued — including all subject alternative names (SANs) that list all domains covered by the certificate.
Subdomain enumeration through crt.sh is one of its most powerful capabilities. When a wildcard or multi-SAN certificate is issued for a domain, crt.sh reveals all subdomains explicitly listed in that certificate. This surfaces development servers, internal tools, staging environments, and other subdomains that may not appear in DNS enumeration.
Historical certificate records are equally valuable. Certificates issued years ago that covered specific subdomains reveal the historical infrastructure of a target domain — including subdomains that have since been decommissioned but were part of the organization's web presence.
Organization-based searches allow investigators to find all certificates issued to a specific organization name, which reveals all the domains that organization has secured with SSL certificates — potentially including domains the organization has not publicly associated with itself.
Certificate issuance timing reveals when new infrastructure was deployed — a certificate for a new subdomain appearing in CT logs weeks before an incident may be significant. CT log timestamps are reliable and verifiable.
The API at crt.sh supports programmatic queries for large-scale analysis and integration into automated reconnaissance workflows.
For phishing and brand protection investigations, crt.sh searches for certificates containing a brand name identify all domains that have obtained certificates claiming to be associated with the brand — including fraudulent domains.
Document domain searched, certificate results including SANs, issuance dates, and any notable historical or organizational findings.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Account Killer
Privacy & Security OSINT
AccountKiller provides direct deletion links and step-by-step instructions for removing accounts on hundreds of websites and social platforms.
AlgoVPN
Privacy & Security OSINT
Algo VPN automates deployment of a personal WireGuard or IKEv2 VPN server in the cloud for private, secure OPSEC browsing.
Blokada
Privacy & Security OSINT
Keep all your devices protected with Blokada content filtering and encryption.
Canarytokens
Privacy & Security OSINT
Canarytokens creates tracking traps that alert investigators when accessed, revealing attacker IP, time, and origin when planted.
Cover Your Tracks
Privacy & Security OSINT
EFF Cover Your Tracks reveals how ad trackers and fingerprinters see your browser to help investigators strengthen OPSEC and anonymity.
DNS Leak
Privacy & Security OSINT
DNS Leak Test checks whether your VPN or proxy is leaking DNS requests, exposing your real IP address during anonymous browsing.