CERT Lookup
Lookup CERT records and inspect certificate references published in DNS. Run fast checks, interpret results, and use related tools for validation.
Use CERT Lookup in 4 Steps
What is CERT Lookup?
CERT records store certificate material or certificate references in DNS for specific interoperability scenarios. They were designed to allow DNS-based certificate distribution for protocols like S/MIME, PGP, and IPsec before modern TLS PKI became universal.
CERT records support multiple certificate types including X.509 (PKIX), SPKI, PGP, IP-PGP, and URI-based references. In practice, CERT records are rarely used in modern deployments — TLS PKI (Let's Encrypt, DigiCert) and DANE (via TLSA records) have replaced most DNS-based certificate use cases.
Quick Interpretation Table
Use this reference to diagnose common outcomes when running CERT Lookup.
| Observed Result | Likely Cause | Next Step |
|---|---|---|
| CERT not found | DNS-published certificate path unavailable | Publish CERT record if your application requires DNS-based certificate lookup |
| Unexpected cert type value | Consumer application may not recognize the type | Verify supported CERT type values for your application |
| Payload format mismatch | Parsing failure risk in consuming application | Regenerate record with correct encoding for the expected certificate type |
CLI Examples
Run these commands directly from a terminal to verify CERT records without relying on a browser-based tool.
dig CERT example.comdig CERT _smimecert.user.example.comnslookup -type=CERT example.comdig CERT example.com +shortTroubleshooting Workflow
- Run this record check first for a scoped signal on the target hostname.
- Validate nameserver authority and SOA context if results are unexpected.
- Use propagation checks when different regions return different values.
- Re-run after applying fixes and compare values against your expected configuration.
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.