crt.sh Review

If you do external recon seriously, crt.sh is one of those sources you check almost automatically.

crt.sh is not a one-stop solution, and it does not replace multi-source enumerators. Certificate transparency data provides one of the cleanest passive ways to expand a target's hostname footprint before sending a single request to their infrastructure. It often reveals newly deployed services, forgotten staging environments, third-party hosted assets, and subdomains that never show up in simple wordlist guessing.

The appeal of crt.sh lies in its speed, passivity, and routine usefulness. It is fast, passive, and routinely useful.

What crt.sh Does

crt.sh searches certificate transparency logs, which contain all publicly issued SSL/TLS certificates. Any hostname or domain in a cert can be found.

For recon, crt.sh enables subdomain discovery. Searching a base domain with wildcard patterns and keywords tied to the target organization allows you to find hostnames that appeared in certificates matching your query. You query cert records, not servers, and do not need to touch the target.

crt.sh is a passive tool. It tells you a hostname appeared in a cert at some point. It does not mean the hostname resolves now, is still owned, or is still up. It provides leads.

Used correctly, crt.sh quickly turns one root domain into dozens or hundreds of potential targets for later DNS and HTTP checks. It gives you a starting point, and you validate from there.

How Certificate Transparency Helps Recon

Certificate transparency pays off. Most internet-facing infrastructure gets a cert before questions of discoverability come up.

Modern services rely on TLS. Certs get issued for staging portals, regional environments, API gateways, vendor apps, and temporary deployments. Even if those systems aren't publicly linked, cert metadata can still spill hostnames.

CT data beats simpler passive methods in certain situations. It shows obvious production subdomains, SAN entries, wildcard coverage, issuance timing, and cert reuse patterns. You see how an environment is structured.

Cert records hold more than just hostnames. Issuance dates show when infrastructure appeared. SAN lists reveal sibling hosts on the same cert. Repeated cert patterns expose naming conventions. You spot clusters like api-dev, api-stage, vpn, sso. You're not just finding hosts — you're learning how the target builds infrastructure.

That's why crt.sh isn't just a passive hostname list. It's a source of recon context.

Practical Investigation Workflow

The most common workflow is straightforward: search a base domain, extract hostnames, deduplicate them, and feed them into validation tools like dnsx or httpx. This gets you from passive discovery to a workable list of live assets quickly.

crt.sh fits best as an upstream source. It surfaces things you wouldn't have checked otherwise. Once those names are in your pipeline, the rest of the stack can do its job. You're not validating, just gathering.

The second useful workflow is keyword and organization-name searching. Search company names, subsidiaries, acquired brands. You might find certificates tied to alternate domains or related infrastructure. A company may have legacy brands or vendor-managed applications. Country-specific portals and acquisition leftovers show up too.

That matters in mature programs. The real attack surface is often broader than one domain. Recent certificate issuance is another underused signal. Look at recent issuance to surface newly created hosts or short-lived infrastructure. Repeated patterns reveal naming conventions. Crt.sh isn't just for finding names; it's for spotting patterns that tell you where to enumerate next. That helps.

becomes

The most common workflow is straightforward: search a base domain, extract hostnames, deduplicate them, and feed them into validation tools like dnsx or httpx. This gets you from passive discovery to a workable list of live assets quickly.

crt.sh fits best as an upstream source. It surfaces things you wouldn't have checked otherwise. Once those names are in your pipeline, the rest of the stack can do its job. You're not validating, just gathering.

The second useful workflow involves searching company names, subsidiaries, acquired brands. You might find certificates tied to alternate domains or related infrastructure. A company may have legacy brands, vendor-managed applications. Country-specific portals and acquisition leftovers show up too.

That matters in mature programs. The real attack surface is often broader than one domain. Recent certificate issuance is another underused signal. Look at recent issuance to surface newly created hosts or short-lived infrastructure. Repeated patterns reveal naming conventions. Crt.sh is for finding names, spotting patterns that tell you where to enumerate next. That helps.

The most common workflow is straightforward: search a base domain, extract hostnames, deduplicate them, and feed them into validation tools like dnsx or httpx. This gets you from passive discovery to a workable list of live assets quickly.

crt.sh fits best as an upstream source. It surfaces things you wouldn't have checked otherwise. Once those names are in your pipeline, the rest of the stack can do its job. You're not validating, just gathering.

The second useful workflow involves searching company names, subsidiaries, acquired brands. You might find certificates tied to alternate domains or related infrastructure. A company may have legacy brands, vendor-managed applications. Country-specific portals and acquisition leftovers show up too.

That matters in mature programs. The real attack surface is often broader than one domain. Recent certificate issuance is another underused signal. Look at recent issuance to surface newly created hosts or short-lived infrastructure. Repeated patterns reveal naming conventions. Crt.sh is for finding names, spotting patterns that tell you where to enumerate next. That helps.

crt.sh vs Other Subdomain Enumeration Methods

crt.sh is a certificate transparency source, not a full enumeration framework.

crt.sh has a narrower focus than tools like subfinder or amass, which aggregate multiple sources. crt.sh shows you direct certificate data, with no blended output.

crt.sh can be more effective than brute-force DNS on obscure hosts. If a target has a unusual subdomain, wordlist guessing might miss it, but if that hostname was in a public certificate, crt.sh might find it.

Certificate presence does not mean DNS resolves. DNS resolution does not mean HTTP works. HTTP does not mean the service matters. You still need the rest of the recon stack.

crt.sh provides better names to test. You still need to verify DNS, HTTP, and relevance. Cloud assets and storage require other methods.

Use crt.sh as a complement, not a replacement.

Limitations and Operational Considerations

Limitations of Certificate Transparency Logs

crt.sh has its limits. It only knows about hostnames that have appeared in public certificates. No public cert, no entry. Internal services and non-TLS setups are not included.

Records on crt.sh can be stale, including expired certificates, replaced ones, or names that were never activated. A hostname might have been issued and then abandoned. Another might be old and no longer in use. crt.sh lists expired certs, replaced ones, or names that were never activated.

Ownership is not always clear. Shared certificates, CDNs, and multi-tenant platforms can make it difficult to determine ownership. A hostname in a certificate is a lead, not proof. You still need DNS, HTTP, hosting, and context before escalating.

Verdict

crt.sh is a go-to passive recon source. Certificate transparency records show infrastructure that DNS-only searches miss.

Its strength isn't just breadth, it's speed. One search by domain or keyword can turn up staging hosts, forgotten services, alternate brands, and naming patterns. These leads improve the rest of your recon workflow.

For bug bounty hunters and external pentesters, crt.sh is easy to justify as a first step. Use it early and often. It's a passive way to turn certificate history into actionable leads before probing. Operators miss things.