The command to view remote SSL/TLS certification with OpenSSL is a bit overcomplicated and we don't need all the details but just to fetch the Alternative name where there can be potential subdomains. We can use the ssl-cert script of nmap to do that:
➜ nmap -p 443 --script ssl-cert blog.futurevera.thm Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 19:56 CEST Nmap scan report for blog.futurevera.thm (10.10.48.46) Host is up (0.027s latency). rDNS record for 10.10.48.46: futurevera.thm
PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US | Issuer: commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-03-13T10:22:57 | Not valid after: 2023-03-13T10:22:57 | MD5: 8df0656c3814dd46c6ed5371e007d0e9 |_SHA-1: 6641a3bdc9f787f0bc84171abce4897b3711d28e
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
➜ nmap -p 443 --script ssl-cert support.futurevera.thm Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 19:58 CEST Nmap scan report for support.futurevera.thm (10.10.48.46) Host is up (0.027s latency). rDNS record for 10.10.48.46: futurevera.thm
PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US | Subject Alternative Name: DNS:secrethelpdesk934752.support.futurevera.thm | Issuer: commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-03-13T14:26:24 | Not valid after: 2024-03-12T14:26:24 | MD5: aef3dd042e6ae9196b68ac30c2d1177a |_SHA-1: d62ec5cadbe8c933359faa67f0adf6e7e4fee395
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
So in support.futurevera.thm certificate, there is a secret alt name: secrethelpdesk934752.support.futurevera.thm.