HomeDNS ToolsCERT Lookup
DNS Tool

CERT Lookup

Lookup CERT records and inspect certificate references published in DNS. Run fast checks, interpret results, and use related tools for validation.

Record Type
CERT
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
CERT Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use CERT Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run CERT Lookup
Execute CERT Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is CERT Lookup?

CERT records store certificate material or certificate references in DNS for specific interoperability scenarios. They were designed to allow DNS-based certificate distribution for protocols like S/MIME, PGP, and IPsec before modern TLS PKI became universal.

CERT records support multiple certificate types including X.509 (PKIX), SPKI, PGP, IP-PGP, and URI-based references. In practice, CERT records are rarely used in modern deployments — TLS PKI (Let's Encrypt, DigiCert) and DANE (via TLSA records) have replaced most DNS-based certificate use cases.

Best Use
Legacy integration audits and certificate-publishing diagnostics for environments that rely on DNS-based certificate distribution.
Common Mistake
Expecting CERT records to replace modern TLS certificate deployment workflows. CERT records are a legacy mechanism and should not be used as a primary certificate distribution path for web services.
Validation Path
Confirm that cert type, key tag, and algorithm fields in the CERT record match the consuming application's expectations and certificate format.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running CERT Lookup.

Observed ResultLikely CauseNext Step
CERT not foundDNS-published certificate path unavailablePublish CERT record if your application requires DNS-based certificate lookup
Unexpected cert type valueConsumer application may not recognize the typeVerify supported CERT type values for your application
Payload format mismatchParsing failure risk in consuming applicationRegenerate record with correct encoding for the expected certificate type

CLI Examples

Run these commands directly from a terminal to verify CERT records without relying on a browser-based tool.

dig CERT example.com
Query CERT records for the domain
dig CERT _smimecert.user.example.com
Query S/MIME certificate record at standard subdomain (RFC 8162)
nslookup -type=CERT example.com
CERT lookup using nslookup (cross-platform)
dig CERT example.com +short
Compact CERT output showing type, key tag, algorithm, certificate data

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is a CERT record?
A CERT (Certificate) DNS record stores certificate material or certificate URI references in DNS. It was designed for protocols like S/MIME, PGP, and IPsec to locate certificate material by DNS query. The record encodes a certificate type code, key tag, algorithm identifier, and the certificate data in base64.
What CERT record types exist?
Common CERT type codes: 1 (PKIX / X.509 certificate), 2 (SPKI), 3 (PGP), 4 (IPKIX), 5 (ISPKI), 6 (IPGP — PGP fingerprint + URL), 253 (URI — URL pointing to certificate), 254 (OID). Type 1 (PKIX) is most common where CERT records are used at all.
Are CERT records still used today?
Rarely. CERT records were designed before modern TLS PKI and ACME (Let's Encrypt) became ubiquitous. Most certificate distribution now happens through browser-trusted CAs. The main active use case is S/MIME certificate discovery (RFC 8162 using `_smimecert` subdomains). DANE (TLSA records) is the preferred modern approach for DNS-based certificate binding.
How is CERT different from TLSA?
CERT stores the certificate itself (or a reference) for general certificate discovery. TLSA (the DANE record) binds a specific certificate to a specific TCP port and hostname for TLS authentication, providing certificate pinning enforced by DNSSEC. TLSA is the recommended modern DNS-based certificate mechanism.
How do I look up S/MIME certificates via DNS?
RFC 8162 defines the `_smimecert.localpart.domain` lookup pattern for email S/MIME certificate discovery. For user alice@example.com, the query would be `dig CERT _smimecert.alice.example.com`. The responding CERT record contains Alice's S/MIME certificate for email clients that support RFC 8162 discovery.
Record Scope
ToolCERT Lookup
Query TypeCERT
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.