Sauteed onions associate registered domain names with onion addresses. These associations are established in TLS certificates, making them publicly enumerable in append-only CT logs.

One of the most prominent use-cases of sauteed onions is to help users defeat censorship of TLS sites: onionsites can be used if they are discoverable, which is what sauteed onions help with. This tightens the relation between registered domain names, HTTPS, and onionsites.

Search for onion addresses

You can use any existing certificate search service to check if a registered domain name has an associated onion address. What we will be looking for is a domain name on the form:

<onion addr>

Let’s give it a go using

What is the onion address of

Search for at

Below is the search result.

Search results for at

So, the onion address is:


A search service that is tailored specifically for sauteed onions is available and operated by us. Try:

Setup for site owners

Suppose that you have a website, for example:

and that you have an associated onion address (if not, see FAQ):


To set up sauteed onions, you need a TLS certificate for with the following SAN:

The required steps:

  1. Configure the above SAN in DNS. Just like, it needs to be resolvable at the time of issuing the certificate so that the CA can validate the domain.
  2. Follow the usual steps that are required to obtain a TLS certificate for, but also add the above SAN to satisify the sauteed onion criteria.

Note that this works with any of today’s CAs. See some examples below. Don’t forget step 1.

Let’s Encrypt

Let’s Encrypt offers free and automated certificate issuance.
Simply use the -d option in certbot. Here’s an example using Apache:

# do the usual certbot configuration, but list all SANs with the -d option
$ certbot --apache -d\,\

When using Nginx rather than Apache, you might need to change /etc/nginx/nginx.conf to increase the value of server_names_hash_bucket_size to, say, 128. Don’t forget to reload Nginx.


HARICA issues domain validated certificates for .onion addresses as well as DNS resolvable domain names. Login and go to server certificates. Add your SANs and follow the instructions.

inserting SANs in HARICA’s certificate request UX