How CertShield finds your certificates
The two-track discovery model — Certificate Transparency for history, live TLS probes for the present.
CertShield uses two independent discovery channels so nothing slips through. Understanding how they differ helps you interpret what you see in the app.
Track 1 — Certificate Transparency (CT) log search
Every trusted Certificate Authority is required to publish every certificate it issues to a set of public append-only logs called Certificate Transparency logs. CertShield searches those logs for any certificate that mentions your domain.
What CT discovery gives you:
- A full historical inventory of certificates issued for your domain, going back years.
- Visibility into certificates on subdomains you may have forgotten about.
- An immediate alert if a new cert is ever issued that you didn’t expect — including ones issued by an unauthorized CA.
What it doesn’t give you:
- Proof that a certificate is actually being used anywhere. A cert in a CT log is just a record that it was issued. It may sit unused in a keystore forever.
- The health of a live endpoint. CT logs have no concept of “is this server reachable right now.”
CT logs are the reason you see a useful inventory immediately after adding a domain — we don’t have to wait for the first renewal to happen to know what’s out there.
Track 2 — Live TLS probes
In parallel, CertShield connects to your domain over TLS on port 443 and asks it to present its certificate. We record:
- Which certificate the server is actually serving right now.
- Which IPs are answering for the hostname.
- The TLS version, cipher suite, and OCSP stapling status of the connection.
- Whether the full certificate chain validates as trusted.
Each live server we can reach becomes an endpoint in CertShield. Endpoints are re-checked on a schedule determined by your plan — as often as every 15 minutes on Business, hourly on Hobbyist and Startup.
How the two tracks show up in the UI
- Certificates page — everything from both tracks. A certificate discovered via CT that isn’t currently being served shows up here but won’t appear on the Endpoints page until we see it live.
- Endpoints page — only things we’ve actually connected to. This is “reality on the wire” — what a browser would see right now.
- Dashboard — blends both, weighted toward live endpoint health since that’s what impacts your users.
Why you’ll sometimes see a cert we couldn’t verify live
Totally normal. A few reasons:
- The certificate was issued for a hostname that isn’t actually deployed (common with wildcards and staging environments).
- The endpoint is behind a firewall, VPN, or only serves internal traffic.
- The cert is pinned to a non-standard port that CertShield doesn’t probe by default.
Neither track is “wrong” — they just see different things.