Ask your team how many TLS certificates they're responsible for. Write down the number. Then run a real discovery exercise against your domains and your cloud accounts. The actual number is usually 2 to 3 times what was written down.
This isn't a story about incompetent teams. It's a story about how certificates accumulate during normal operations and how the inventory you maintain by hand falls behind the inventory that actually exists. Closing that gap is the discovery exercise most teams never quite get around to.
Where the missing certs come from
Five common sources:
Forgotten subdomains. A marketing campaign in 2023 needed a microsite. It got a Let's Encrypt cert with auto-renewal. The campaign ended; the subdomain stayed up; nobody removed it from monitoring because nobody added it in the first place. Multiply this by every campaign your team has run.
Cloud console issuance. An engineer in a different team needed a quick cert for a project. They clicked "request certificate" in the AWS console. The cert was issued, the workload deployed, and nobody outside that team knew the cert existed. AWS Certificate Manager is excellent operationally and invisible inventory-wise unless you explicitly enumerate every account.
Vendor portals. Your CRM, your support platform, your analytics tool, your marketing automation - many SaaS vendors issue TLS certs on behalf of customers for CNAME-pointed subdomains. The cert exists; your domain serves over it; your team doesn't track it.
Internal services that became external. Two years ago, this was a dev-only thing. Then a customer needed access, so it got exposed publicly. The cert that came along has been quietly renewing on its own schedule, outside any production monitoring.
Acquired-company infrastructure. When you bought the other company, their domains came with you. Their certs came with you. Some of them are in your central inventory now; some of them aren't, and the only people who knew about them have left.
The discovery exercise
A practical discovery exercise has three parts:
Subdomain enumeration. For each of your registered domains, generate a list of all subdomains that exist. Tools like subfinder, amass, or commercial alternatives pull from CT logs, DNS records, search engines, and other sources. The output is a list of hostnames you may not have known about.
CT log scraping. For each of your domains, pull every public certificate issued for any of its subdomains over the last several years. CT log search engines (crt.sh, censys, others) provide this. Cross-reference against your internal inventory to find the deltas.
Cloud account inventory. For each cloud provider in use, enumerate all managed certificates (ACM, Cloudflare API, Azure managed certs, GCP managed SSL). For each one, capture the hostname, the issuance date, the renewal owner, and the underlying service.
Combined, these three pull in the certs your central inventory has missed. The total is usually larger than expected.
What scanning reveals beyond count
Discovery isn't only about how many. The same exercise tells you:
- Cipher and protocol distribution. How many of your certs are on hosts still offering TLS 1.0 or 1.1? Probably more than you'd hope.
- Issuer distribution. How many of your certs are from each CA? If a CA has a distrust event scheduled (DigiCert G1 in April 2026 was a recent example), do you know exactly which of your certs are affected?
- Expiry distribution. Are renewals spread evenly through the year, or clustered around a specific quarter? Clustering creates predictable busy periods that should be planned for.
- Hostname coverage gaps. Cert SAN lists vs DNS records: which hostnames are pointed at infrastructure that doesn't have a matching cert?
- Ownership gaps. Which certs aren't tagged with a team or service owner? Those are the ones that will be orphaned next time someone leaves.
The count is the headline. The patterns underneath are the actually-useful output of the exercise.
Check your own domain right now
As a first step, take your primary domain and run a scan against it. You'll see the cert, the chain, the cipher, the expiry. That's one hostname. Now do it for every subdomain you can think of. Then check CT logs for the rest. The gap between "what you check" and "what exists" is the part that matters.
Find what's actually in your certificate footprint
TLS Radar runs continuous certificate discovery across your domains, cloud accounts, and internal infrastructure. Subdomain enumeration, CT log monitoring, cloud-account inventory, internal CA integration - all in one source-agnostic inventory. Built to scale from a handful of sites to enterprise portfolios with API integration, SAML/SSO, and pricing tailored to your certificate volume.
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.