Forgotten certificates
Issued months or years ago, still live, and on nobody's calendar. These are the ones that expire on a quiet weekend and take a service down with them.
Certificate discovery
Know what you have before it expires.
SSL certificate discovery is finding every certificate issued for your domains, including the ones nobody remembers requesting. It works by searching Certificate Transparency logs, the public record that every trusted certificate is written to.
The certificates you don't know about
Most teams run more certificates than their spreadsheet shows. These are the ones that cause outages:
Shadow IT
Certificates a team, contractor, or vendor requested for your domains without telling anyone. They are real, trusted, and missing from your inventory.
Expiry surprises
Certificates you didn't know were close to expiring. Discovery lists them all with their dates, so nothing catches you off guard.
How certificate discovery works
Every publicly trusted certificate is written to a public, append-only Certificate Transparency log when it is issued. Each Certificate Authority publishes to its own logs, so the full record of your certificates is spread across Let's Encrypt, DigiCert, Sectigo, and every other public CA. CertKit indexes all of them, so one search covers every certificate issued for your domains, no matter which CA issued it.
Let's Encrypt DigiCert Sectigo
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ CT log │ │ CT log │ │ CT log │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
└─────────────────┼─────────────────┘
▼
┌───────────────────┐
│ CertKit │
└─────────┬─────────┘
▼
┌─────────────────────┐
│ Your certificates │
└─────────────────────┘
CertKit indexes the Certificate Transparency logs from every public CA, so one search covers them all.
This is the same data the public uses to audit Certificate Authorities. You can search it yourself, for any domain, without touching the servers that run the certificates. More on searching Certificate Transparency logs.
Search your certificates now, free
Our Certificate Transparency log search lists every certificate issued for any domain. No account, no signup, no cost. It is the fastest way to see what you actually have.
From finding them to managing them
Discovery is step one. Once you know what you have, the work is keeping each certificate valid: issuing, deploying, monitoring, and renewing it before it expires. That is certificate lifecycle management, and it is what CertKit does.
CertKit brings them under management by reissuing each one, which is free and leaves the originals working, then renews them automatically and monitors every one, so none of them expire on you again.
Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.
Chris Austin, IT Engineer, Buckman
Frequently asked questions
Is the certificate discovery tool free?
Yes. You can search Certificate Transparency logs for any domain at no cost, with no account. It returns the certificates issued for that domain and their dates.
How does discovery find certificates I forgot about?
Every publicly trusted certificate is recorded in Certificate Transparency logs, a public, append-only record. Searching those logs for your domains surfaces certificates issued by anyone, including ones requested years ago or by a team you have lost track of.
Does discovery find certificates on my internal network?
Certificate Transparency logs cover publicly trusted certificates. Private or internal CA certificates that never reach a public log won't show up there, but CertKit tracks those once they are under management, alongside your public ones.
What do I do with the certificates you find?
Discovery is step one. CertKit then issues, renews, deploys, and monitors each certificate from one account, so the ones you found stay valid without manual work.
Find every certificate, then stop chasing them
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.