Back to Demos
36/52
EnterpriseIntermediate
Certificate Transparency Logs
Explore CT logs and how they detect mis-issued certificates. See how SCTs work and why CT matters for security.
Interactive Demo
Certificate Transparency (CT) Logs
Public, append-only logs of all SSL/TLS certificates - detecting rogue and malicious certs
CT Logs (Public Ledger)- Append-only, tamper-evident
[2024-03-15 10:23:01]google.com-DigiCertNEW
[2024-03-15 10:23:02]amazon.com-Amazon CA
[2024-03-15 10:23:03]microsoft.com-Microsoft CA
[2024-03-15 10:23:04]yoursite.com-Let's Encrypt
[2024-03-15 10:23:05]github.com-DigiCert
Entries can never be removed - Merkle tree structure ensures tamper-evidence
Google Argon
Google
Google Xenon
Google
Cloudflare Nimbus
Cloudflare
DigiCert Yeti
DigiCert
Let's Encrypt Oak
Let's Encrypt
Signed Certificate Timestamp (SCT)
Signed Certificate Timestamp:
├── Version: 1
├── Log ID: 7ku9t3XO... (Google Argon)
├── Timestamp: 2024-03-15T10:23:04Z
├── Extensions: (none)
└── Signature: 3045022100...
SCT = cryptographic proof that the certificate is/will be logged
Monitor Your Domain
Example results for example.com:
example.com- Let's Encrypt R3 - 2024-03-01
example.com- Let's Encrypt R3 - 2023-12-01
*.example.com- DigiCert - 2023-06-15
example.com- Unknown CA - 2024-02-28[INVESTIGATE]
Certificate Transparency Quick Facts
- ✓All public TLS certs MUST be logged (Chrome requirement)
- ✓Logs are append-only - certs cannot be removed
- ✓Anyone can monitor logs for their domains
- ✓SCTs prove a cert is logged
- ✓Free tools: crt.sh, certspotter, Facebook CT monitor
- ✓This is why your certificates are public information
Monitoring Tools
Certificate Transparency helps detect rogue certificates before they can be used maliciously
Want to learn more?
Read our complete guide on Certificate Transparency