The Certificate Transparency discovery allows the identification of subdomains based on the public logs of TLS certificate issuance. It complements DNS enumerations by listing subdomains that have been issued a valid certificate, even if they are not referenced by DNS enumeration dictionaries.

Certificate Transparency discovery

The discovery queries public Certificate Transparency data sources to list all subdomains that have valid TLS certificates related to the specified domain.
For example, with the domain example.com, the discovery may find staging.example.com or portal.example.com if they were issued certificates.

To create a Certificate Transparency discovery:

Go to Discoveries, and click Add then Certificate Transparency in the Domain names category
In field Target, specify your base FQDN. For example: example.com
Optional – Enable Neighbor domain search to include domains with similar registrant information
Configure the Discovery mode:
- Choose the primary address type (IP address or domain name) for the discovery, used when displaying the discovered assets.
Optional – Specify a recurrence period (in days or hours) to enable periodic discoveries. Setting the value to 0 disables recurrence.
Click Confirm

Once started, the discovery will query Certificate Transparency data sources and list all subdomains with valid TLS certificates related to the specified domain.
The results will appear in Discoveries once the process is complete.

Limitations

Certificate Transparency discoveries are limited to publicly issued TLS certificates.
Subdomains using private or internal certificates will not appear in the results. Likewise, wildcard certificates only reveal the main domain, not its individual subdomains.

For comprehensive coverage of your domain space, it is recommended to combine Certificate Transparency discoveries with DNS enumeration and, if applicable, WHOIS discoveries.