Certificate Transparency lookup

Public, append-only logs of every TLS certificate issued by a participating CA. CT was created after a string of mis-issuance incidents (Comodo, DigiNotar) so anyone can audit which certs exist for which names. Modern major CAs are required by browser policy to log every cert they issue.

/subdomains-check enumerates SUBDOMAINS - which names under your apex have ever had a cert. /ct-lookup focuses on the FULL CERT HISTORY for a name - issuer breakdown, validity windows, when certs were issued, expired, or rotated. Different views of the same underlying data.

CT logs are append-only - certs from 2018 are still in there. Even after a subdomain is deleted in DNS, the cert it once had remains in the log forever (until it expires from the cryptographic merkle tree, which is decades).

Yes - private CAs (your internal company root) don't log to public CT. The public Web PKI does. Also, certs issued before CT participation became universal (~2018) may not be in the logs.

Both upstreams' issuer fields can be missing or in an unparseable format for some entries. We fall back to the raw DN string when we can't extract a clean organisation name.

We query multiple public CT log aggregators with automatic failover. Both index the same underlying public CT logs, so results are comparable regardless of which source served your query. If one is degraded we fall back to the other automatically.

Yes - Wiredepth Pro tails the CT stream in real time and alerts within ~10 seconds of a new cert being issued for any subdomain of a monitored apex. Catches phishing-kit infrastructure within minutes of issuance, before the campaign launches.