FreeSubdomain Finder

Certificate Transparency (CT) logs are public records of every SSL/TLS certificate issued by trusted Certificate Authorities. When a certificate is issued for a subdomain, it gets logged. By querying these logs, we can discover all subdomains that have ever had a certificate issued — revealing staging servers, internal tools, API endpoints, and forgotten services.

Yes, completely free with no signup required. The tool queries public Certificate Transparency logs via crt.sh, which is an open-source CT log search engine.

This tool finds subdomains that have had SSL/TLS certificates issued for them. Subdomains without certificates (HTTP-only services, internal DNS records not tied to certificates) won't appear. For most modern domains, CT logs cover the majority of active subdomains since HTTPS adoption is widespread.

DNS brute-forcing tries thousands of common subdomain names and checks if they resolve. CT-based discovery is passive — it reads public certificate logs without sending any traffic to the target domain. CT discovery finds actual subdomains that exist (or existed) regardless of naming convention, while brute-forcing only finds subdomains that match its wordlist.

First Seen is the earliest certificate validity start date (not_before) found for that subdomain. Last Seen is the latest certificate expiry date (not_after). These dates show the time range during which certificates were active for the subdomain, helping you identify recently created or long-lived services.

Yes. CT-based subdomain enumeration is a standard reconnaissance technique used in authorized security testing. The data is entirely public — anyone can query CT logs. Always ensure you have proper authorization before testing any discovered subdomains.