Search public Certificate Transparency logs (via crt.sh) for every cert issued to a domain. Returns the cert list plus a deduped subdomain set extracted from the SANs — the fastest way to enumerate subdomains for a security audit. Free upstream, no key required.