Certificate Transparency

Certificate Transparency (CT) is an open framework, defined in RFC 6962, that requires certificate authorities (CAs) to log every SSL/TLS certificate they issue to publicly auditable, append-only logs. Anyone can query these logs to see certificates issued for any domain, allowing domain owners, security researchers, and automated systems to monitor for misissued or unauthorized certificates.

Certificate Transparency closes a significant blind spot in PKI trust. Before CT, a compromised or rogue CA could issue certificates for any domain without the domain owner's knowledge, enabling man-in-the-middle attacks at scale. CT logs also expose attacker infrastructure: threat actors frequently obtain TLS certificates for phishing and typosquatting domains shortly before launching campaigns, making CT monitoring a valuable early-warning signal for attack surface changes.

When a CA issues a certificate, it submits the certificate to one or more CT logs and receives a Signed Certificate Timestamp (SCT) in return. The SCT is embedded in the certificate, stapled via OCSP, or delivered via TLS extension, allowing browsers to verify the certificate was logged. Analysts query CT logs — most commonly via crt.sh, which aggregates multiple logs — to enumerate subdomains, track certificate issuance for a domain, and identify certificates for suspicious lookalike domains.