Certificate Transparency

Certificate Transparency is a framework that allows you to detect improperly issued TLS certificates. You can use this framework to identify improperly issued certificates and have them revoked.

Background

Transport Layer Security (TLS) allows you to securely exchange data between clients and servers. Web browsers use TLS certificates to perform encryption and also to identify trusted and untrusted web sites. If a web browser encounters an untrusted certificate it will warn the user that the site is untrusted and to proceed with caution.

In order to prevent visitors to your site from seeing an untrusted web site warning when using TLS, you must request a publicly-trusted certificate from a Certificate Authority (CA). There are hundreds of CAs, and they all perform various actions to verify your digital identity before issuing you a publicly-trusted certificate.

Problems can arise, however, if a CA is compromised or mis-issues a publicly-trusted certificate. When this happens it may take weeks before the CA can revoke any improperly issued certificates.

To address this problem, Google introduced the Certificate Transparency (CT) project. The CT framework allows anyone to log, audit, and monitor publicly-trusted TLS certificates newly issued by any CA.

To help you take advantage of this framework, we have a built a free monitoring tool to help you discover any certificates that have been newly issued for specific domains. If you discover that a Certificate Authority (CA) has issued a new certificate that you didn't request, for a domain that you own, you can contact the CA to make sure your digital identity has not been compromised and to determine if the certificate should be revoked.

Certificate Transparency Monitoring Tool

Our Certificate Transparency Monitoring Tool works by continuously fetching and storing data from a set of known public Certificate Authority CT logs. You can use this data store to search for newly issued certificates by domain, or to set up a subscription that will notify you whenever a new certificate is issued for a domain.

To search for newly issued certificates by domain:

To set up a subscription:

For the best experience, we recommend that you use the monitoring tool in this way:

  1. Set up a Certificate Transparency webhook subscription for a domain that you own.
  2. Set up a script that can read the webhook notification and immediately use its contents to query the /certificates endpoint to get more information.