certificate transparency at work

public logs of things...


certificate transparency at work

public logs of things...

certificate transparency

certificate transparency is the requirement that all TLS certs trusted by browsers be submitted to public logs which are monitored The primary purpose is to detect misissued certs.


There are 2 main ways we use CT information:

We get emails from Cloudflare everytime a cert is issued. This is received in a MS Teams channel, which unfortunately displays the html email and hides half the content, making it less than useful. Other options would be api searches, via censys, crt.sh rss. Facebook, sslmate, and others also have apis but they seem more limited.

We manually search for records, usually from crt.sh by Sectigo (high information density) or transparencyreport by Google.


How do we actually use this info? Usually this centers around our wildcard certificates, which have been handed out like candy before... Anyway, this is the best way to know which ones are valid/expiring and we can point to it when some third party claims "some" certificate is expiring.


There's a list of Google trusted logs, Which can be accessed through API specified in RFC 6962.

note: this api only provides head + numeric ranges of log entries.