Certificate Transparency (CT) is an open framework designed to detect and prevent SSL/TLS certificate mis-issuance. By requiring Certificate Authorities to publicly log all certificates they issue, CT enables domain owners to monitor for unauthorized certificates and detect problems that might otherwise go unnoticed.
Before CT, if a CA mistakenly or maliciously issued a certificate for your domain, you'd likely never know. Attackers could use the certificate for man-in-the-middle attacks invisibly.
CT changes this by making certificate issuance publicly auditable.
What is Certificate Transparency?
Certificate Transparency is a system where CAs must submit certificates to public, append-only logs before issuance. These logs maintain cryptographic proof of all certificates issued, creating an auditable record that anyone can examine.
How CT Works
- CA issues a certificate
- CA submits it to CT logs
- CA receives Signed Certificate Timestamps (SCTs) as proof
- Browsers verify SCTs when connecting
Who Operates CT Logs?
CT logs are operated by various organizations:
- Cloudflare
- DigiCert
- Sectigo
- Let's Encrypt
Certificates typically appear in multiple logs for redundancy.
Multiple Purposes
Certificate Transparency serves several purposes:
- Domain owners can monitor for unauthorized certificates
- The security community can detect CA misbehavior
- The entire ecosystem benefits from accountability that was previously absent
Why Certificate Transparency Matters
CT addresses real problems that have occurred repeatedly.
Historical CA Failures
| Incident | Year | Impact |
|---|---|---|
| DigiNotar compromise | 2011 | Fraudulent certificates for Google domains |
| Symantec mis-issuance | 2017 | Thousands of improperly issued certificates |
| WoSign/StartCom | 2016 | Backdated certificates, improper validation |
Before CT, detecting these mis-issuances relied on luck or attacker mistakes. CT makes detection systematic.
Security Visibility for Domain Owners
CT monitoring provides valuable security visibility. You can detect if someone obtains a certificate for your domain through:
- Social engineering a CA
- Compromising CA systems
- Exploiting validation vulnerabilities
Early detection enables rapid response:
- Report the certificate for revocation
- Investigate how it was obtained
- Take protective measures
Inventory Management
Beyond fraud detection, CT monitoring catches legitimate but unexpected certificates. A developer might obtain a certificate for a staging subdomain using a different CA than your standard.
CT monitoring reveals this, enabling:
- Certificate inventory management
- Policy enforcement
- Standardization across teams
How Certificate Transparency Works
The CT Ecosystem Components
| Component | Role |
|---|---|
| Log servers | Maintain append-only databases with cryptographic proofs |
| Monitors | Watch logs for certificates matching specified criteria |
| Auditors | Verify logs behave correctly and don't fork |
The Certificate Issuance Flow
- CA submits certificate to multiple CT logs
- Logs return Signed Certificate Timestamps (SCTs)
- CA embeds SCTs in the certificate (or delivers via TLS extension or OCSP stapling)
- Browsers verify SCT presence and validity as part of certificate validation
Monitoring Process
CT monitoring services query logs continuously, identifying new certificates for domains you specify:
- Legitimate certificates (your own renewals) are expected
- Unexpected certificates warrant immediate attention
# Query CT logs for certificates issued to a domain
# Using crt.sh (a public CT log search)
curl "https://crt.sh/?q=%.example.com&output=json" | jq '.'
Most CT monitoring services check multiple logs and provide near-real-time alerting, typically detecting new certificates within hours of issuance.
CT Monitoring Best Practices
Implement Comprehensive Monitoring
- Monitor all your domains
- Monitor important subdomains
- Include wildcard pattern monitoring
- Use multiple monitoring services for redundancy
Free services like Cert Spotter and Facebook CT Monitoring make basic monitoring accessible. Commercial services offer additional features for enterprise needs.
Configure Proper Alerting
- Alerts should reach security-responsible personnel
- Ensure alerts are actionable (include certificate details)
- Configure escalation for unacknowledged alerts
Develop Response Procedures
Create documented procedures for unexpected certificates:
- Investigate: Is this certificate legitimate or unauthorized?
- Revoke: If unauthorized, request immediate revocation
- Analyze: How was the certificate obtained?
- Remediate: Strengthen controls to prevent recurrence
Reduce Alert Noise
Distinguish between truly suspicious certificates and expected issuances:
- Configure monitoring to recognize known-good certificates
- Whitelist your legitimate CAs
- Highlight unexpected ones clearly
Monitor Wildcard Certificates
A certificate for *.example.com covers all subdomains. Attackers might obtain wildcards to maximize their attack surface.
Combine with Other Security Measures
CT monitoring works best alongside:
- CAA records: Restrict which CAs can issue for your domains
- Proper domain validation: Configure accounts with your CAs securely
- Regular certificate inventory review: Audit what certificates exist for your domains
; CAA record example - only allow Let's Encrypt
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"
Conclusion
Certificate Transparency provides crucial visibility into certificate issuance for your domains. By monitoring CT logs, you can detect unauthorized certificates before they're used in attacks.
Key Actions
- Implement CT monitoring for all your domains
- Configure alerts to reach the right people
- Develop response procedures for unexpected certificates
- Combine with CAA records and other certificate security measures
