Home/ Glossary/ Certificate Transparency

Certificate Transparency (CT)

Security Glossary - SSL/TLS

Definition: Certificate Transparency is an open framework for monitoring and auditing SSL certificate issuance. CAs must log every certificate they issue to publicly accessible, append-only CT logs. This allows domain owners to detect if a CA has issued an unauthorized certificate for their domain, and enables browsers to require CT compliance before trusting a certificate.

The Importance of CT

Certificate Transparency was created in response to CA compromises where attackers obtained fraudulent certificates for high-profile domains like google.com. Before CT, there was no reliable way for a domain owner to know if a rogue certificate had been issued for their domain.

With CT, every publicly trusted certificate must be logged. Domain owners can monitor these logs to detect unauthorized certificates quickly. Google Chrome requires CT compliance for all new certificates - a certificate without CT log entries will cause a browser warning. This means even a compromised CA cannot issue a certificate that goes undetected.

For website operators, CT logs are a free security monitoring tool. Services like crt.sh allow you to search CT logs for all certificates ever issued for your domain. This helps detect subdomain takeover attempts, phishing sites using your brand, or accidental certificate misissuance by your CA.

Testing Your Configuration

Search CT logs at crt.sh to see all certificates issued for your domain. An SSL checker will also verify that your certificate has valid Signed Certificate Timestamps (SCTs) proving it was logged. Regular CT monitoring helps you detect unauthorized certificates early.

Check SSL Certificate

Case Study

Certificate Transparency logs detected the 2017 Symantec misissuance scandal, where Symantec CAs had issued over 30,000 certificates without proper validation. The CT log evidence was key to Google's decision to progressively distrust all Symantec-issued certificates in Chrome, ultimately forcing Symantec to sell its CA business to DigiCert.

CT FAQ

Can I opt out of Certificate Transparency?
No. Chrome requires all publicly trusted certificates to be CT-logged. Certificates without valid SCTs will cause browser warnings. Private CA certificates used only internally are not subject to CT requirements.
How do I monitor Certificate Transparency logs for my domain?
Use free services like crt.sh or Certspotter to set up alerts for new certificates issued for your domain. Facebook's CT monitoring tool also provides email alerts. This helps you detect unauthorized certificate issuance.

Related Concepts

SSL/TLS Certificate Certificate Authority Root Certificate Expect-CT Subdomain Takeover
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.