[therein]

> An alternative is to issue wildcard certificates with LE, so that the subdomains names are kept private.

They'll still show up on crt.sh, though, won't they? All my LE subdomains are visible (non-wildcard) but also my non-LE paid-for 1-year wildcard ones are also showing up with all the subdomains.

Edit: Actually, nevermind, those are Cloudflare. My paid-for wildcard doesn't show up. Well, that's a good reason to pay up I guess.

[psYchotic]

If a certificate has been issued for a domain, and that domain doesn't show up in the certificate transparency logs, that's not something I'd cheer for: that issuer could just as well hand out certificates for your domain to others without you ever knowing about it.

Conversely, if a domain shows up in the CT logs, then there have been certificates issued for those domains, even if there exists a wildcard certificate that is valid for that domain. If that happens, check your settings, because there's probably something requesting certificates you're not aware of.