I don’t want certain sub-domain names to appear on the certificate transparency (CT) log. Any TLS server can serve different content based on SNI, and so do web servers based on the HTTP
Host: header. This also makes it possible for a single server to act as a gateway for multiple domains.
Having these domain names on the public CT log has made it possible for (potentially malicious) parties to know about the existence of these domains whereby they have probed these domains for vulnerabilities. Without this knowledge they would not have been able to access these machines behind a gateway. It seems most probable that the attackers learned the domain names from the public CT log.
Would it possible to opt-out of certificate transparency (CT) for certificates for certain domains? I know there are other channels whereby a potential adversary could learn about these domains, but in practice, obscurity does have certain benefits for some cases. I don’t want to advertise the list of domains that can be accessed, probed or attacked.