Back to Blog
Security

Understanding Certificate Transparency Logs

What certificate transparency logs are, how they work, and why they matter for detecting misissued or unauthorized certificates for your domains.

CertGuard Team··8 min read

The Problem CT Logs Solve

In 2011, a Certificate Authority called DigiNotar was compromised. Attackers issued fraudulent certificates for hundreds of domains, including google.com. These fake certificates could be used to intercept traffic without triggering browser warnings. The breach went undetected for weeks because there was no public record of which certificates had been issued.

Certificate Transparency (CT) was created to ensure this can never happen again. It's a system of public, append-only logs that record every certificate issued by participating CAs. Anyone can query these logs, and domain owners can monitor them for unauthorized certificates.

How CT Logs Work

When a Certificate Authority issues a certificate, it submits the certificate (or a precertificate) to one or more CT log servers. The log server responds with a Signed Certificate Timestamp (SCT), which is a promise that the certificate will be added to the log within a defined time period (typically 24 hours).

The SCT is then embedded in the certificate itself, delivered via a TLS extension, or stapled via OCSP. Browsers like Chrome and Safari require valid SCTs — if a certificate doesn't have them, the browser won't trust it. This creates a strong incentive for CAs to log every certificate they issue.

CT logs use a Merkle tree data structure, which makes it cryptographically provable that no entries have been removed or modified. Anyone can verify the integrity of a log by checking its consistency proofs.

What CT Logs Contain

Each entry in a CT log includes the full certificate or precertificate. This means the following information is publicly available for every logged certificate:

  • The domain name(s) the certificate covers
  • The issuing Certificate Authority
  • The certificate's validity period (not before / not after dates)
  • The public key
  • The signature algorithm

This public visibility is the core feature: if an unauthorized certificate is issued for your domain, it will appear in CT logs, and monitoring those logs lets you detect it.

Why Domain Owners Should Care

CT logs let you answer the question: "Has anyone issued a certificate for my domain that I didn't authorize?" This covers several threat scenarios:

  • CA compromise: If a CA is hacked, fraudulent certificates for your domain will appear in CT logs.
  • Unauthorized issuance: If someone within your organization requests a certificate without proper approval, you'll see it.
  • Domain validation bypass: If an attacker temporarily gains control of your DNS or email to validate a certificate request, the resulting certificate will be logged.
  • Shadow IT: Certificates issued for subdomains you didn't know existed — revealing unofficial services or infrastructure.

Monitoring CT Logs in Practice

Several free services let you monitor CT logs for your domains. Google's Certificate Transparency search tool and crt.sh are popular options for ad-hoc searches. For continuous monitoring, you can set up alerts through services like Facebook's CT monitoring or Certspotter.

CertGuard complements CT log monitoring by checking the certificates your servers actually present. While CT logs tell you what certificates exist, CertGuard tells you what certificates are in use and whether they're about to expire. Together, these approaches give you comprehensive visibility into your certificate landscape.

The Bigger Picture: Web PKI Accountability

CT logs represent a broader shift toward transparency and accountability in the Web PKI (Public Key Infrastructure). Before CT, domain owners had to blindly trust that CAs would only issue certificates to authorized parties. Now, every issuance is recorded in a tamper-proof public ledger.

This transparency has already led to the discovery of numerous CA misbehaviors and policy violations, resulting in stronger enforcement and better practices across the industry. As a domain owner, CT logs are your window into what's happening with certificates for your domains — and staying informed is the first step to staying secure.

Getting Started

Start by searching for your domains in crt.sh to see all certificates that have been issued for them. Review the results for any certificates you don't recognize. Then set up continuous monitoring — either through a dedicated CT monitoring service or by combining CT awareness with endpoint monitoring through CertGuard. The certificates issued for your domains should never be a surprise.

Back to all posts