Check Certificate Transparency Logs

TL;DR

Certificate Transparency (CT) logs publicly record issued SSL/TLS certificates. This means anyone can check if a certificate has been unexpectedly issued for your domain, potentially indicating a compromise or misconfiguration. We’ll show you how to monitor these logs and find out if your domains are ‘gossiping’ – i.e., showing up in unexpected places.

Checking Certificate Transparency Logs

1. Understand What You’re Looking For: CT logs contain details like the domain name, issuer, serial number and validity dates of certificates. Unexpected entries could mean:
   • A rogue internal certificate authority (CA) issued a certificate without permission.
   • Your website was compromised and an attacker obtained a certificate.
   • A misconfiguration allowed someone else to issue a certificate for your domain.
2. Use Certificate Search Tools: Several free tools let you search CT logs.
   • crt.sh: A popular and easy-to-use website. https://crt.sh
   • SSL Labs SSL Server Test: Includes a CT log check as part of its overall analysis. https://www.ssllabs.com/ssltest/
   • Google’s Certificate Transparency Search Tool: More technical, but provides direct access to the logs. https://certificate-transparency.google.com/
3. Search crt.sh for Your Domains:
   1. Go to https://crt.sh.
   2. Enter your domain name (e.g., example.com) in the search box and click ‘Search’. You can also use wildcard searches like *.example.com to find certificates for subdomains.
   3. Review the results carefully. Pay attention to:
      • Issuer: Is it a CA you recognise and trust?
      • Serial Number: Unique identifier of the certificate.
      • Validity Period: When was the certificate issued, and when does it expire?
4. Automated Monitoring with Command Line Tools (Advanced): For regular checks, you can use command-line tools.

   dig +trace example.com

   This will show the DNS records for your domain and may reveal certificates used by services you don’t expect.

   openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer

   This command retrieves the issuer of the certificate currently served by your website.

5. Investigate Unexpected Certificates: If you find a certificate you don’t recognise:
   • Contact Your CA: Report the unexpected issuance. They can investigate if it was issued legitimately or fraudulently.
   • Check Internal Systems: Look for rogue applications or services that might be generating certificates.
   • Review Security Logs: Examine your server logs and firewall logs for suspicious activity.
   • Revoke the Certificate (If Possible): If you have control over the CA, revoke the certificate immediately to prevent further misuse.

Resources

• Certificate Transparency documentation: https://certificate-transparency.github.io/