Certificate Transparency (CT) is an open framework for monitoring and auditing SSL/TLS certificates. All publicly-trusted Certificate Authorities are required to log certificates to public CT logs, creating an append-only, cryptographically-assured record of all certificates issued.

• Security Monitoring: Detect unauthorized or mis-issued certificates for your domains in real-time
• Asset Discovery: Discover all subdomains and hostnames that have certificates, useful for inventory and security audits
• Certificate Management: Track certificate renewals, expirations, and issuer patterns across your infrastructure
• Compliance & Auditing: Maintain compliance by ensuring only authorized CAs issue certificates for your domains

• Subdomain Enumeration: Discover all subdomains for a domain by analyzing SANs in issued certificates (Security teams use this for attack surface mapping)
• Mis-issuance Detection: Identify certificates issued by unauthorized CAs or for unexpected hostnames (Detect phishing domains or internal names leaked to public logs)
• Certificate Lifecycle Tracking: Monitor certificate renewals, track expiration dates, and plan migrations (DevOps teams use this to prevent outages from expired certificates)
• CA Diversity Analysis: Understand which CAs are issuing certificates for your organization (Compliance teams verify approved CA usage)

• Common Name (CN): Primary domain name the certificate is issued for
• Subject Alternative Names (SANs): Additional hostnames covered by the certificate, including wildcards
• Issuer: Certificate Authority that issued the certificate (e.g., Let's Encrypt, DigiCert)
• Validity Period: Start (Not Before) and end (Not After) dates when the certificate is valid
• Serial Number: Unique identifier assigned by the CA, used for revocation lookups
• Entry Timestamp: When the certificate was logged to CT, which may differ from issuance date

• CT Logs are Public: All logged certificates are publicly visible. Avoid including sensitive hostnames in SANs if they should remain private.
• Monitor for Unexpected Issuance: Regularly check CT logs for your domains to detect phishing attempts or unauthorized certificates.
• CAA Records: Use DNS CAA records to restrict which CAs can issue certificates for your domains.
• Certificate Pinning: For high-security applications, consider certificate pinning to prevent MITM attacks.

• Regular Monitoring: Periodically search CT logs for your domains to detect anomalies
• Automate Alerts: Set up automated monitoring to alert on new certificate issuance
• Review SANs Carefully: Ensure certificates only include necessary hostnames to minimize exposure
• Track Expiration Dates: Monitor certificates expiring soon to prevent service disruptions
• Validate Issuers: Ensure only authorized CAs are issuing certificates for your domains

• CT logs are append-only and cannot be modified or deleted
• Wildcard certificates (*.example.com) cover all subdomains
• Internal hostnames in SANs become publicly visible via CT logs
• Most browsers require CT compliance for certificates to be trusted
• crt.sh searches multiple CT log servers for comprehensive results
• Certificate issuance != activation - check validity dates carefully
• Use CAA records to specify which CAs can issue for your domain