Certificate Transparency (CT)

Transparency and detection of fraudulent certificates.

Certificate Transparency is a security framework that publicly logs all issued SSL certificates. This allows detecting fraudulent or erroneous certificates issued for your domain.

Since 2018, all certificates must be logged in CT logs to be accepted by Chrome. It's a fundamental protection against compromised CAs.

This guide explains how CT works and how to monitor certificates issued for your domains.

How CT Works

Certificate Transparency components:

  • CT Logs: append-only public logs that record every issued certificate.
  • SCT: Signed Certificate Timestamp, proof of log registration.
  • Monitors: services that watch logs to detect anomalies.
  • Auditors: verify log integrity and SCT presence.

CT Benefits

Why CT is essential:

  • Rapid detection: immediately discover if a fraudulent certificate is issued for your domain.
  • CA accountability: CAs can no longer issue certificates secretly.
  • Proof of issuance: each certificate has cryptographic proof of registration.
  • Transparency: anyone can audit the public logs.

Monitor Your Domains

How to monitor certificates issued for your domains:

  1. Subscribe to a monitor: use crt.sh, Facebook CT Monitor, or Cert Spotter.
  2. Configure alerts: receive a notification for each new certificate.
  3. Verify legitimacy: ensure detected certificates are actually yours.
  4. React quickly: for fraudulent certificates, request revocation immediately.

Monitoring Tools

Commands and tools for CT:

# Search certificates for a domain on crt.sh
curl "https://crt.sh/?q=%.example.com&output=json" | jq .

# Verify certificate SCTs
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -text | grep -A 20 "CT Precertificate"

# Use ct-exposer for monitoring
# https://github.com/AltDNS/ct-exposer
ct-exposer -d example.com

crt.sh is the most used search engine for CT logs.

Best Practices

Get the most out of CT:

  • Monitor your domains: subscribe all your domains to a CT monitoring service.
  • Include subdomains: monitor *.yourdomain.com to cover all subdomains.
  • React fast: for fraudulent certificates, act within the hour.
  • Document legitimate ones: keep a list of expected certificates to ease verification.

CT Checklist

  • Domains subscribed to a CT monitor
  • Email alerts configured
  • Subdomains included
  • Revocation procedure documented
  • Legitimate certificate list maintained
  • Global monitoring with MoniTao

Frequently Asked Questions

Does CT reveal secret subdomains?

Yes, all certificates are public. Use wildcards if you want to hide subdomains.

Can I avoid CT?

No, since 2018 certificates without CT are not accepted by Chrome.

What is crt.sh?

A free search engine that indexes all public CT logs.

How does SCT work?

The log signs a timestamp proving registration. The SCT is included in the certificate.

What if I detect a fraudulent certificate?

Immediately contact the issuing CA to request revocation.

Are CT logs reliable?

Yes, they use cryptographic structures (Merkle trees) that make tampering impossible.

CT: Essential Protection

Certificate Transparency is a major advance for SSL security. Monitor your domains to detect any suspicious issuance.

Combine CT monitoring with MoniTao for complete protection of your SSL infrastructure.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing