Per Paul's question about EV onion certs specifically: the public Certificate Transparency logs are pretty great. They allow some audit trail on cert issuance, revocations, reissues, etc. -- and the data includes the "browser-friendly" .onion EV certs that DigiCert is issuing. https://www.certificate-transparency.org/ Comodo has a pretty decent search interface for CT logs that aggregates the various log servers, so you can search for things like "%.onion": https://crt.sh/?q=%25.onion Looks like that search result list also includes subjectAltNames and things like that for multi-domain certs, which is pretty nice. But this'll only be for the few CA-issued EV certs that exist, not the common cases of self-signed certs or onion sites serving TLS with their clearnet domain cert. (Those two cases seem to be the bulk of the older wiki lists and what Juha reported.) Best, -- Mike Tigas News Applications Developer, ProPublica https://www.propublica.org/ @mtigas | https://mike.tig.as/ | 0xA993E7156E0E9923