Digital certificates used in SSL/TLS communications are another public resource that can inform your pen test actions. One of the most useful fields in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN). SANs usually identify specific subdomains that the certificate applies to, but can also identify other domains, IP addresses, and email addresses. Organizations use SANs in their certificates so that they don't need to purchase and use different certificates for each individual resource. The resources identified in a SAN may reveal new targets for you to focus on. Note that some certificates simply use a wildcard (*) character to denote that all subdomains of the parent domain are covered by the certificate. In this case, you might not be able to identify any specific resources.
In addition to SANs, under the Certificate Transparency (CT) framework, logs of public certificate authorities (CAs) are published for anyone to access. These logs contain information about the domains and subdomains that a CA's issued certificates apply to. This can enable you to discover subdomains that may be no longer covered by the certificate but still exist. For example, an organization might have used a specific SAN in the past, but later moved to a wildcard. That past domain might be listed in the CT logs for the issuing CA.