Certificate Transparency (CT) is a revolutionary security mechanism that brings accountability to the certificate ecosystem. It helps domain owners detect unauthorized certificates and prevents certificate authorities from secretly issuing certificates for domains they shouldn't. Here's how it works and why it matters.

The Problem CT Solves

The Certificate Trust Model

HTTPS security relies on Certificate Authorities (CAs) only issuing certificates to legitimate domain owners. But with hundreds of trusted CAs, and any CA able to issue certificates for any domain, the system is vulnerable to:

Compromised CAs: Attackers gaining control of a CA's signing keys
Malicious insiders: CA employees issuing fraudulent certificates
Government coercion: CAs forced to issue surveillance certificates
Validation failures: CAs mistakenly issuing certificates to the wrong party

Real-World Incidents

Before CT, major incidents occurred:

DigiNotar (2011): Attackers issued certificates for google.com, used for Iranian surveillance
Comodo (2011): Fraudulent certificates for major sites including Gmail
CNNIC (2015): Unauthorized Google certificates issued
Symantec (2015-2017): Thousands of improperly issued certificates

These incidents were often discovered by accident. CT ensures every certificate is publicly logged and auditable.

How Certificate Transparency Works

The CT Ecosystem

CA submits certificate: Before issuing, the CA submits the certificate to CT logs
Log returns SCT: The log adds the certificate and returns a Signed Certificate Timestamp (SCT)
Certificate includes SCT: The CA embeds the SCT in the certificate or delivers it separately
Browser verifies SCT: When connecting, browsers verify the certificate has valid SCTs
Public monitoring: Anyone can search CT logs for certificates issued for their domain

CT Log Structure

CT logs are append-only, cryptographically verifiable data structures (Merkle trees). Key properties:

Append-only: Certificates can only be added, never removed or modified
Publicly auditable: Anyone can verify the log's integrity
Consistent: All observers see the same log contents

SCT Delivery Methods

Servers can provide SCTs in three ways:

X.509v3 extension: Embedded directly in the certificate (most common)
TLS extension: Delivered during the TLS handshake
OCSP stapling: Included in the OCSP response

Browser Requirements

Chrome's CT Policy

Chrome requires all publicly-trusted certificates to have valid SCTs. The number required depends on certificate validity:

< 15 months: 2 SCTs from different logs
15-27 months: 3 SCTs
27-39 months: 4 SCTs
> 39 months: 5 SCTs

Safari's CT Policy

Safari requires at least 2 SCTs from approved logs, with additional requirements for longer-lived certificates.

Firefox

Firefox doesn't currently enforce CT but plans to in the future.

Monitoring CT Logs

Why Monitor?

CT monitoring alerts you to:

Certificates issued without your authorization
Potential phishing sites using similar domain names
Shadow IT using unauthorized subdomains
Certificate misconfigurations by your team

Free Monitoring Services

crt.sh: Search and subscribe to certificate issuance
Google Certificate Transparency: Search Google's CT logs
Facebook Certificate Transparency Monitoring: Free monitoring with alerts
Cert Spotter: Open-source monitoring tool

Setting Up Monitoring

# Search for certificates issued for your domain on crt.sh
curl "https://crt.sh/?q=%.example.com&output=json" | jq '.[0:5]'

# Using certspotter
certspotter -domain example.com -follow

What to Look For

When reviewing CT logs, investigate:

Certificates for subdomains you don't recognize
Certificates from CAs you don't use
Multiple certificates issued in a short time
Certificates with unusual validity periods
Wildcard certificates you didn't request

Responding to Suspicious Certificates

Verification Steps

Check ownership: Verify if the certificate was legitimately requested
Identify the CA: Contact them about the certificate's origin
Review validation: Understand how domain ownership was verified
Check for compromise: If unauthorized, investigate how validation was bypassed

Revocation

If you find an unauthorized certificate:

Contact the issuing CA immediately
Provide proof of domain ownership
Request certificate revocation
Monitor for additional unauthorized certificates
Consider implementing CAA records

CAA Records: Preventing Unauthorized Issuance

Certificate Authority Authorization (CAA) DNS records specify which CAs can issue certificates for your domain:

# Only allow Let's Encrypt and DigiCert to issue certificates
example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild ";"  # Prevent wildcard certificates

# Send reports of policy violations
example.com.  CAA  0 iodef "mailto:security@example.com"

CAA Record Types

issue: CAs allowed to issue certificates
issuewild: CAs allowed to issue wildcard certificates
iodef: Where to report policy violations

CAA Best Practices

Always set CAA records for your domains
Be explicit about wildcard policies
Include an iodef record for notifications
Review CAA records when changing CAs

CT for Security Teams

Asset Discovery

CT logs reveal your certificate footprint, including:

All subdomains with certificates
Shadow IT and forgotten systems
Third-party services using your domain
Historical certificate information

Incident Detection

CT monitoring can detect:

Phishing infrastructure being set up
Compromised DNS leading to certificate issuance
Insider threats requesting unauthorized certificates
Supply chain attacks on your vendors

Compliance

Many security frameworks now recommend or require CT monitoring:

PCI DSS for payment processing
SOC 2 for service organizations
Industry-specific requirements (financial, healthcare)

CT Implementation Checklist

Ensure all your certificates include valid SCTs
Set up CT log monitoring for your domains
Configure CAA records to restrict certificate issuance
Establish a process to investigate CT alerts
Document your approved CAs and subdomains
Include CT monitoring in your security program
Use SecScanner to verify CT compliance
Review CT logs during security assessments
Train teams on CT alert handling
Test your incident response for unauthorized certificates

Certificate Transparency has fundamentally improved web security by making certificate issuance auditable. Take advantage of this visibility to protect your domains and users.

The Problem CT Solves

The Certificate Trust Model

Compromised CAs: Attackers gaining control of a CA's signing keys
Malicious insiders: CA employees issuing fraudulent certificates
Government coercion: CAs forced to issue surveillance certificates
Validation failures: CAs mistakenly issuing certificates to the wrong party

Real-World Incidents

Before CT, major incidents occurred:

DigiNotar (2011): Attackers issued certificates for google.com, used for Iranian surveillance
Comodo (2011): Fraudulent certificates for major sites including Gmail
CNNIC (2015): Unauthorized Google certificates issued
Symantec (2015-2017): Thousands of improperly issued certificates

These incidents were often discovered by accident. CT ensures every certificate is publicly logged and auditable.

How Certificate Transparency Works

The CT Ecosystem

CA submits certificate: Before issuing, the CA submits the certificate to CT logs
Log returns SCT: The log adds the certificate and returns a Signed Certificate Timestamp (SCT)
Certificate includes SCT: The CA embeds the SCT in the certificate or delivers it separately
Browser verifies SCT: When connecting, browsers verify the certificate has valid SCTs
Public monitoring: Anyone can search CT logs for certificates issued for their domain

CT Log Structure

CT logs are append-only, cryptographically verifiable data structures (Merkle trees). Key properties:

Append-only: Certificates can only be added, never removed or modified
Publicly auditable: Anyone can verify the log's integrity
Consistent: All observers see the same log contents

SCT Delivery Methods

Servers can provide SCTs in three ways:

X.509v3 extension: Embedded directly in the certificate (most common)
TLS extension: Delivered during the TLS handshake
OCSP stapling: Included in the OCSP response

Browser Requirements

Chrome's CT Policy

Chrome requires all publicly-trusted certificates to have valid SCTs. The number required depends on certificate validity:

< 15 months: 2 SCTs from different logs
15-27 months: 3 SCTs
27-39 months: 4 SCTs
> 39 months: 5 SCTs

Safari's CT Policy

Safari requires at least 2 SCTs from approved logs, with additional requirements for longer-lived certificates.

Firefox

Firefox doesn't currently enforce CT but plans to in the future.

Monitoring CT Logs

Why Monitor?

CT monitoring alerts you to:

Certificates issued without your authorization
Potential phishing sites using similar domain names
Shadow IT using unauthorized subdomains
Certificate misconfigurations by your team

Free Monitoring Services

crt.sh: Search and subscribe to certificate issuance
Google Certificate Transparency: Search Google's CT logs
Facebook Certificate Transparency Monitoring: Free monitoring with alerts
Cert Spotter: Open-source monitoring tool

Setting Up Monitoring

# Search for certificates issued for your domain on crt.sh
curl "https://crt.sh/?q=%.example.com&output=json" | jq '.[0:5]'

# Using certspotter
certspotter -domain example.com -follow

What to Look For

When reviewing CT logs, investigate:

Certificates for subdomains you don't recognize
Certificates from CAs you don't use
Multiple certificates issued in a short time
Certificates with unusual validity periods
Wildcard certificates you didn't request

Responding to Suspicious Certificates

Verification Steps

Check ownership: Verify if the certificate was legitimately requested
Identify the CA: Contact them about the certificate's origin
Review validation: Understand how domain ownership was verified
Check for compromise: If unauthorized, investigate how validation was bypassed

Revocation

If you find an unauthorized certificate:

Contact the issuing CA immediately
Provide proof of domain ownership
Request certificate revocation
Monitor for additional unauthorized certificates
Consider implementing CAA records

CAA Records: Preventing Unauthorized Issuance

Certificate Authority Authorization (CAA) DNS records specify which CAs can issue certificates for your domain:

# Only allow Let's Encrypt and DigiCert to issue certificates
example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild ";"  # Prevent wildcard certificates

# Send reports of policy violations
example.com.  CAA  0 iodef "mailto:security@example.com"

CAA Record Types

issue: CAs allowed to issue certificates
issuewild: CAs allowed to issue wildcard certificates
iodef: Where to report policy violations

CAA Best Practices

Always set CAA records for your domains
Be explicit about wildcard policies
Include an iodef record for notifications
Review CAA records when changing CAs

CT for Security Teams

Asset Discovery

CT logs reveal your certificate footprint, including:

All subdomains with certificates
Shadow IT and forgotten systems
Third-party services using your domain
Historical certificate information

Incident Detection

CT monitoring can detect:

Phishing infrastructure being set up
Compromised DNS leading to certificate issuance
Insider threats requesting unauthorized certificates
Supply chain attacks on your vendors

Compliance

Many security frameworks now recommend or require CT monitoring:

PCI DSS for payment processing
SOC 2 for service organizations
Industry-specific requirements (financial, healthcare)

CT Implementation Checklist

Ensure all your certificates include valid SCTs
Set up CT log monitoring for your domains
Configure CAA records to restrict certificate issuance
Establish a process to investigate CT alerts
Document your approved CAs and subdomains
Include CT monitoring in your security program
Use SecScanner to verify CT compliance
Review CT logs during security assessments
Train teams on CT alert handling
Test your incident response for unauthorized certificates

Certificate Transparency has fundamentally improved web security by making certificate issuance auditable. Take advantage of this visibility to protect your domains and users.

The Problem CT Solves

The Certificate Trust Model

Real-World Incidents

How Certificate Transparency Works

The CT Ecosystem

CT Log Structure

SCT Delivery Methods

Browser Requirements

Chrome's CT Policy

Safari's CT Policy

Firefox

Monitoring CT Logs

Why Monitor?

Free Monitoring Services

Setting Up Monitoring

What to Look For

Responding to Suspicious Certificates

Verification Steps

Revocation

CAA Records: Preventing Unauthorized Issuance

CAA Record Types

CAA Best Practices

CT for Security Teams

Asset Discovery

Incident Detection

Compliance

CT Implementation Checklist

Related Articles

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Subdomain Takeover: Detection, Prevention, and Remediation

Email Security with SPF, DKIM, and DMARC: A Complete Guide

Check Your Website Security

The Problem CT Solves

The Certificate Trust Model

Real-World Incidents

How Certificate Transparency Works

The CT Ecosystem

CT Log Structure

SCT Delivery Methods

Browser Requirements

Chrome's CT Policy

Safari's CT Policy

Firefox

Monitoring CT Logs

Why Monitor?

Free Monitoring Services

Setting Up Monitoring

What to Look For

Responding to Suspicious Certificates

Verification Steps

Revocation

CAA Records: Preventing Unauthorized Issuance

CAA Record Types

CAA Best Practices

CT for Security Teams

Asset Discovery

Incident Detection

Compliance

CT Implementation Checklist

Related Articles

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Subdomain Takeover: Detection, Prevention, and Remediation

Email Security with SPF, DKIM, and DMARC: A Complete Guide

Check Your Website Security