: Is it possible to view all previously issued SSL certificates for a particular domain? If we wanted to know if a particular domain has had SSL certificates issued to it by CAs in the past,

@Yeniel560

Probably not.

Firstly, from a privacy point of view:


If you're not the legitimate owner of this domain name, the owners could have firewalled you out of their server. It's none of your business to know whether or not they have a certificate for a host, one of its CNAME aliases or anything like that. I would consider a CA leaking that sort of information to be releasing private data to a degree (not in the sense of public/private key).
If you are the owner of the service, well, you should have kept better records perhaps. For similar reasons, the fact you are now in control of a domain name doesn't mean that you were its owner a couple of years ago, for example.


This being said, assuming that this is about a host that's publicly visible, you may be able to query the notaries used by systems like Convergence to help you find a number of certificates that may have been valid for a host name, but not necessarily all of them.

It's still possible to have multiple certificates, from multiple CAs (commercial or internal), all valid at the same time. The fact that one users sees a valid certificate from a particular CA doesn't mean that another won't see another certificate, also valid, from the same or another CA. This can happen on large sites (that would use DNS load-balancing, for example), as illustrated in this Security.SE question.

In addition, anyone ca issue a certificate for any host. I can issue a certificate for google.com using a few OpenSSL commands in 2 minutes. No hacking involved. The problem is that I'll be the only one recognising that certificate as valid.

Vote Up Vote Down