What are wildcard subdomains?

A wildcard certificate (*.example.com) covers all possible first-level subdomains. In CT logs it appears as *.example.com. This tool filters wildcards to show only specific subdomains.

Data comes from Certificate Transparency historical logs, so it includes current subdomains and also past subdomains that had a certificate at some point. It's not a real-time active scan but a certificate history.

Free tool

Subdomain Finder

Name: Free Subdomain Finder
Author: Miguel Ángel Colorado Marin

Discover the subdomains of any domain using Certificate Transparency (crt.sh). Passive analysis, no active scanning. Up to 100 subdomains. No sign-up.

Built by

Miguel Ángel Colorado Marin (MACM)

Built by

Miguel Ángel Colorado Marin (MACM)

Full-Stack Developer · Guadalajara, España

I develop web apps, digital tools and full projects — from design to deployment.

GitHub LinkedIn miguelacm.es

Contact me

How to use the subdomain finder?

1
Enter the root domain
Type just the root domain (e.g. example.com). Without https:// or subdomains.
2
Click Analyze
The tool queries crt.sh — the public Certificate Transparency logs — to find subdomains with historical TLS certificates.
3
Review subdomains in Security
You'll see the list of found subdomains: api., staging., mail., admin., etc. Without wildcards.
4
Assess exposure
Identify potentially forgotten or exposed services that shouldn't be public.

Frequently asked questions

What is Certificate Transparency?

CT is an RFC 6962 standard that requires CAs to log all TLS certificates in publicly auditable logs. As a side effect, these logs reveal subdomains that have had certificates — if someone issued a certificate for staging.example.com, it will be publicly recorded.

Why don't all subdomains appear?

Only subdomains that had a TLS certificate will appear. Subdomains without HTTPS, with direct IPs or purely internal ones won't appear. Logs also have delays and there may be historical gaps.

What is knowing subdomains useful for?

For inventory of exposed services, detecting forgotten subdomains (staging with real data, public admin panels) and, in authorized pentesting, as part of initial reconnaissance.

Is the data current?

It comes from CT historical logs, so it includes both current and past subdomains. It's not an active scan — it's a history of issued certificates.

Is it legal to search for subdomains with Certificate Transparency?

Yes. Certificate Transparency logs are public and auditable databases by design. crt.sh is the best-known search engine and is used by security researchers, sysadmins and companies worldwide to monitor their certificates.

Is it legal to search for subdomains?

Yes. This tool only queries public Certificate Transparency logs — open databases that anyone can query, maintained by Google, Cloudflare, DigiCert and others. We don't perform any active port scanning or DNS brute force. It's a standard passive reconnaissance technique in defensive security and in the daily work of any sysadmin.

Embed this tool

Integrate the Subdomain Finder in your blog or website:

<iframe src="https://miguelacm.es/embed/subdomain-finder" width="100%" height="700" style="border:none;border-radius:12px;" loading="lazy"></iframe>

Source code available on GitHub.

View on GitHub

Related tools

Web Analyzer

Full technical audit: DNS, SSL, SEO, email and stack.

DNS Lookup

DNS records: A, AAAA, MX, TXT, NS, CNAME, SOA.

WHOIS Lookup

Domain registrar, dates and nameservers.

IP Lookup

IP geolocation: country, ISP, timezone.