Certificate Transparency Logs: Detecting Rogue Certificates and Monitoring Your Domain

What Are Certificate Transparency Logs?

Certificate Transparency (CT) is an open framework for monitoring and auditing SSL/TLS certificates. Created by Google in 2013 and standardized as RFC 6962, CT requires Certificate Authorities (CAs) to publicly log every certificate they issue. These append-only, cryptographically verifiable logs allow domain owners, browsers, and security researchers to detect misissued or fraudulent certificates.

Before CT, a compromised or malicious CA could issue a certificate for any domain without the domain owner ever knowing. CT closes this gap by making certificate issuance a transparent, auditable process.

How Certificate Transparency Works

The CT ecosystem involves four key components working together:

1. CT Logs

CT logs are append-only, Merkle tree-based data structures operated by independent organizations. Each log accepts certificates from CAs, assigns a Signed Certificate Timestamp (SCT), and publishes the certificate for public inspection. Major log operators include Google, Cloudflare, DigiCert, and Sectigo.

2. Certificate Authorities

CAs submit certificates to one or more CT logs before or shortly after issuance. In return, they receive SCTs that prove the certificate has been logged. These SCTs are then embedded in the certificate, delivered via TLS extension, or included in OCSP stapling responses.

3. Monitors

Monitors continuously watch CT logs for new entries. Domain owners run monitors to detect certificates issued for their domains. Security researchers monitor for patterns of suspicious issuance across the entire certificate ecosystem.

4. Auditors

Auditors verify that CT logs are behaving correctly — that they are append-only, consistent, and not omitting or backdating entries. Browsers act as auditors by checking SCTs during TLS handshakes.

The Merkle Tree Structure

CT logs use Merkle hash trees to provide cryptographic proof of consistency and inclusion:

        Root Hash
       /         \
    Hash01      Hash23
    /    \      /    \
  Hash0  Hash1  Hash2  Hash3
    |      |      |      |
  Cert0  Cert1  Cert2  Cert3

Inclusion proof for Cert2:
  - Hash3 (sibling)
  - Hash01 (sibling of parent)
  - Verify: Root = Hash(Hash01 || Hash(Hash2 || Hash3))

This structure allows anyone to verify that a specific certificate exists in the log without downloading the entire log, and to verify that the log has not been tampered with by checking consistency proofs between different tree sizes.

Browser Enforcement

Modern browsers enforce CT requirements for all publicly trusted certificates:

• Google Chrome — requires SCTs from at least 2-3 independent CT logs (depending on certificate lifetime) since April 2018. Certificates without valid SCTs are treated as untrusted.
• Apple Safari — enforces CT for all new certificates since October 2018, requiring SCTs from at least two logs operated by different entities.
• Mozilla Firefox — monitors CT logs and plans stricter enforcement. Currently relies on CAs to submit certificates to logs.

Monitoring Your Domain

Actively monitoring CT logs for your domain is essential for detecting unauthorized certificate issuance. Here is how to set up effective monitoring:

Using crt.sh

The most accessible tool for CT log searching is crt.sh, operated by Sectigo:

# Search for all certificates issued for your domain
curl -s "https://crt.sh/?q=%.example.com&output=json" | \
  jq '.[0:5] | .[] | {
    issuer: .issuer_name,
    common_name: .common_name,
    not_before: .not_before,
    not_after: .not_after
  }'

# Search for recently issued certificates
curl -s "https://crt.sh/?q=example.com&exclude=expired&output=json"

Automated Monitoring Services

• Facebook CT Monitor — free service that emails alerts when new certificates are detected for your domains.
• Cert Spotter (SSLMate) — monitors CT logs and alerts on new issuance. Free tier available for individual domains.
• Google Certificate Transparency Search — search engine for CT logs at transparencyreport.google.com.

Self-Hosted Monitoring

For organizations requiring full control over monitoring, self-hosted solutions provide the most flexibility:

1. Certstream — open-source tool that provides a real-time stream of CT log entries. Filter for your domains and trigger alerts via webhooks.
2. ct-monitor scripts — custom scripts that periodically query CT log API документацию and compare against an expected certificate inventory.
3. SIEM integration — feed CT log data into your security information system for correlation with other security events.

Detecting Rogue Certificates

When monitoring CT logs, watch for these indicators of potentially rogue certificates:

• Unknown issuers — certificates from CAs you have never used or authorized.
• Unexpected subdomains — certificates for subdomains that should not exist or are not in your DNS.
• Suspicious timing — certificates issued outside of your normal renewal schedule.
• Wildcard certificates — unauthorized wildcard certificates that could cover any subdomain.
• Short-lived certificates — certificates with unusually short validity periods may indicate testing by an attacker.

Responding to Unauthorized Certificates

1. Verify the certificate is unauthorized. Check with your team and any third-party services that might legitimately issue certificates for your domain.
2. Contact the issuing CA. Request immediate revocation of the unauthorized certificate. CAs are required to revoke within 24 hours for domain validation issues.
3. Investigate the root cause. Determine how the certificate was issued — compromised DNS, domain validation bypass, social engineering of the CA, or compromised CA systems.
4. Implement CAA records. DNS CAA records specify which CAs are authorized to issue certificates for your domain, preventing other CAs from issuing.
5. Report to browser vendors. If a CA has been compromised, report the incident to browser trust store operators.

CAA Records for Prevention

# DNS CAA records - only allow specific CAs
example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild ";"  # Deny all wildcard issuance
example.com.  CAA  0 iodef "mailto:security@example.com"

Conclusion

Certificate Transparency has fundamentally improved the security of the web PKI ecosystem. By making certificate issuance transparent and auditable, CT enables domain owners to detect and respond to unauthorized certificates before they can be used in attacks. Set up CT monitoring for your domains, implement CAA records, and make certificate inventory management part of your security operations workflow.