Subdomain Finder
Search certificate transparency data to discover subdomains associated with a domain. This tool is useful for identifying publicly observed hostnames that may be linked to websites, APIs, gateways, remote access services, and other internet-facing systems.
Results
What this tool does
The Subdomain Finder checks certificate transparency data to uncover hostnames that have appeared on public TLS certificates.
Because certificate transparency data is based on issued certificates, the results are best treated as discovered hostnames rather than a guaranteed list of active systems.
How to use this tool
- Enter a root domain such as example.com.
- Click Search.
- Review the list of discovered hostnames.
- Copy individual entries, copy the full result set, or export to CSV.
Understanding the results
This tool returns unique hostnames discovered from certificate transparency data.
Not every discovered hostname will necessarily be live. A hostname may have appeared on a certificate in the past but no longer resolve.
Frequently Asked Questions
What is a subdomain?
A subdomain is a hostname that exists under a parent domain, such as api.example.com or mail.example.com.
Does this show every subdomain?
No. It shows hostnames that have appeared in certificate transparency data.
Why are some entries no longer active?
Certificate transparency includes historical certificate data.
Related Tools
Related Articles
How Certificate Transparency Helps Find Subdomains
Learn how certificate transparency logs help find subdomains, what the data misses, and how to interpret CT-based hostname discovery safely.
How to Check Certificate SANs and Spot Hostname Mismatches
Learn how to check certificate SANs, confirm whether a hostname is covered, and use SAN data to troubleshoot TLS errors and asset exposure.
What Is a Subject Alternative Name in TLS?
Learn what a subject alternative name is in a TLS certificate, why SANs matter for hostname validation, and how SAN data helps with discovery and troubleshooting.