Certificate transparency logs play a vital role so you can’t remove any information from it. They let everybody (including you) verify that the certificates are genuine, and they keep certificate authorities honest.

If the part that’s bothering you is that your subdomains are known, the solution is to get wildcard certs then replace all the former subdomains with new ones that don’t appear in the log.

If the part that’s bothering you is simply that old domain names are still resolved, the trick is to not get wildcard DNS records. The certs should be issued for a wildcard (*.domain.tld) but the actual subdomains should be defined explicitly (CNAME example.domain.tld -> domain.tld but not CNAME *.domain.tld -> domain.tld); otherwise all the previously defined subdomains will keep working.

I think most of us have been through this, myself included. Not only did I define subdomains before learning about logs and wildcards, I also had domains that were used at some point with freedns.afraid.org and had random people issue certs for various subdomains, and all of that is now in the transparency logs.

Heh, it’s a valuable OSINT source of information indeed :) Even if it was just one time a sysadmin issued a single certificate for multiple domains that were not meant to look connected to each other, CT logs show that these domains’ owners are actually affiliated.