2023-09-23 16:18:35Z (last updated 2024-03-08 10:20:31Z)
Did you know that when you get a certificate for HTTPS use from certificate issuers (e.g. Let's encrypt, Cloudflare, etc.), the certificate issuing is logged?
Welcome to Certificate Transparency. You can even search for certificates! Hope you didn't request for a certificate with nasty/sensitive subdomains names or malicious (impersonating) domains because the domains for issued certificates are definitely public.
=> Certificate Transparency on Wikipedia | Certificate searching through Certificate Transparency logs | List of certificates issued for jacksonchen666.com
So how do you search the certificate logs?
Well, I haven't found a way to directly pull the CT logs (yet). But there is something which provides searching: crt.sh. It provides domain search, or any other kinds of search on pretty much all attributes for a certificate.
So, subdomains. How?
Well, you need a target. How about my domain? It has a bit of an interesting history with subdomains like:
=> https://this.is.the.least.exciting.thing.ever.on.jacksonchen666.com
posts.jacksonchen666.com
=> https://matrix.jacksonchen666.com
chat.jacksonchen666.com
=> https://videos.jacksonchen666.com
server.jacksonchen666.com
api.billwurtz-search.jacksonchen666.com
billwurtz-search.jacksonchen666.com
=> https://status.jacksonchen666.com
foobar.jacksonchen666.com
=> https://microblogging.jacksonchen666.com
redesign.jacksonchen666.com
These days though, I have much less interesting domains in my certificates because I use wildcard certificates, which doesn't show the specific domains issued so you can't see them nowadays.
=> public inbox (comments and discussions) | public inbox archives | (mailing list etiquette for public inbox) This content has been proxied by September (3851b).Proxy Information
text/gemini;lang=en