Skip to main content
All articles
SSL

Certificate Transparency: what crt.sh tells you about a domain

Every SSL certificate ever issued is public. Here's how to read a Certificate Transparency log and what it reveals about a website's history.

July 1, 2026 6 min readBy Scam Lookup

Every SSL certificate issued in the last decade has been logged to a public, append-only ledger called Certificate Transparency. This isn't optional — modern browsers refuse to trust certificates that haven't been logged. Which means anyone can look up the entire certificate history for any domain.

The most convenient interface is crt.sh, a search engine over the CT logs. Scam Lookup's SSL scanner queries it on every scan. Three questions it answers well:

1. Is this domain brand new?

A domain that has never had a certificate before today is almost certainly newer than today. Scam operators spin up fresh domains constantly — the fresher the domain, the fresher the certificate history. Domains with dozens of certificates spread over years are far more likely to be legitimate infrastructure.

2. Who's issuing certificates for this brand?

Certificates include a common name and a list of Subject Alternative Names (SANs) — every hostname the certificate covers. If you're looking at 'paypal-refund.support', the CT log will tell you whether PayPal ever issued a certificate for it (they didn't) or whether a random shell company did.

3. What subdomains exist?

Every subdomain that ever needed HTTPS had a certificate issued, and every certificate is in the log. That means CT logs are, incidentally, one of the best subdomain enumeration tools in the world. Security researchers use it constantly. Attackers use it too — one reason to keep internal-only services off the public internet.

#ssl#certificate transparency#crt.sh#let's encrypt
Share