You probably have no idea how many SSL certificates exist for your domains. Or who has them.
Most ops teams track the certificates they issue. Nobody tracks the certificates they didn't issue. The ones from your previous CDN. Your former hosting provider. That contractor who left six months ago. They're all still out there. Still valid.
The BygoneSSL research found 1.5 million domains with valid certificates owned by the wrong people. Your domains are probably in that list.
Time to find out.
Start with Certificate Transparency Logs
Every publicly trusted certificate gets logged. That's good news. It means you can find them.
Go to CertKit Certificate Search and search for your domain. You want to see everything. Not just valid certs. Everything.
What you'll find will make you uncomfortable.
I searched for a client's domain last week. Found over 100 certificates. They knew about 3.
The rest? Old hosting providers. Development agencies. That "quick test" someone ran with Let's Encrypt. A wildcard certificate from their previous CDN that doesn't expire until 2026.
Each one is a potential security incident.
The Vendors You Forgot About
Look at the issuer field for each certificate. See Let's Encrypt? Sectigo? DigiCert? Now ask yourself: who uses those CAs?
That Sectigo certificate from 2023? Probably your old CDN. Still valid for another 200 days.
The Let's Encrypt cert renewed every 90 days? Could be that staging server your contractor set up. The one that's supposedly decommissioned. Except someone's still renewing the certificate.
The DigiCert wildcard? Your previous hosting provider included it "free" with your plan. You moved providers. They kept the certificate.
Check the SANs (Subject Alternative Names)
This is where things get really fun. Multi-domain certificates.
Your domain might be bundled with 50 other domains on the same certificate. Maybe 500. I've seen CDN certificates with over 700 domains.
Here's why that matters: If any of those domains changes ownership, the new owner can revoke the entire certificate. Your site goes down because some random domain on your shared certificate got sold.
The Subdomain Problem
Wildcards are convenient. They're also dangerous.
That *.yourdomain.com certificate you issued two years ago? It works for every subdomain. Including the ones you delegated to vendors. The test environments you forgot about. The staging server that "doesn't exist anymore."
Search for these patterns in your CT logs:
- *.yourdomain.com (wildcards)
- staging.yourdomain.com
- test.yourdomain.com
- dev.yourdomain.com
- Any vendor-specific subdomains
Each valid certificate is active infrastructure, whether you know about it or not.
Who Can Request Certificates?
This is the question nobody asks. Who can prove control of your domain?
- Anyone with access to your DNS
- Anyone receiving admin emails
- Anyone who can place files on your web server
- Anyone with access to your cloud account
That's a lot of people. Current employees. Former employees. Your DNS provider. Your CDN. Your hosting company.
They can all request certificates. Right now. And you won't know until you check the CT logs.
What To Do About It
You can't revoke certificates you don't control. Revocation barely works anyway. But you can minimize future damage.
Immediate steps:
- Document every certificate you find. Note the expiration dates.
- CAA records. Set them now. Lock down which CAs can issue certificates.
- Monitor CT logs. Weekly at minimum. Daily is better. Or monitor them continuously with CertKit.
- Rotate credentials after vendor changes. DNS passwords, cloud API keys, everything.
Long term fixes:
Short certificate lifespans. The 47 day certificates everyone's complaining about? They solve this problem. A certificate issued today expires before real damage happens.
Certificate automation. Manual processes can't track this. You need tools that discover, monitor, and manage certificates continuously.
Want to automate certificate discovery and monitoring? CertKit tracks every certificate for your domains, not just the ones you issued. Because the certificates you don't know about are the ones that hurt you.
Top comments (0)