TL;DR
Certificate Transparency (CT) logs publicly record issued SSL/TLS certificates. This means anyone can check if a certificate has been unexpectedly issued for your domain, potentially indicating a compromise or misconfiguration. We’ll show you how to monitor these logs and find out if your domains are ‘gossiping’ – i.e., showing up in unexpected places.
Checking Certificate Transparency Logs
- Understand What You’re Looking For: CT logs contain details like the domain name, issuer, serial number and validity dates of certificates. Unexpected entries could mean:
- A rogue internal certificate authority (CA) issued a certificate without permission.
- Your website was compromised and an attacker obtained a certificate.
- A misconfiguration allowed someone else to issue a certificate for your domain.
- Use Certificate Search Tools: Several free tools let you search CT logs.
- crt.sh: A popular and easy-to-use website. https://crt.sh
- SSL Labs SSL Server Test: Includes a CT log check as part of its overall analysis. https://www.ssllabs.com/ssltest/
- Google’s Certificate Transparency Search Tool: More technical, but provides direct access to the logs. https://certificate-transparency.google.com/
- Search crt.sh for Your Domains:
- Go to https://crt.sh.
- Enter your domain name (e.g.,
example.com) in the search box and click ‘Search’. You can also use wildcard searches like*.example.comto find certificates for subdomains. - Review the results carefully. Pay attention to:
- Issuer: Is it a CA you recognise and trust?
- Serial Number: Unique identifier of the certificate.
- Validity Period: When was the certificate issued, and when does it expire?
- Automated Monitoring with Command Line Tools (Advanced): For regular checks, you can use command-line tools.
dig +trace example.comThis will show the DNS records for your domain and may reveal certificates used by services you don’t expect.
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuerThis command retrieves the issuer of the certificate currently served by your website.
- Investigate Unexpected Certificates: If you find a certificate you don’t recognise:
- Contact Your CA: Report the unexpected issuance. They can investigate if it was issued legitimately or fraudulently.
- Check Internal Systems: Look for rogue applications or services that might be generating certificates.
- Review Security Logs: Examine your server logs and firewall logs for suspicious activity.
- Revoke the Certificate (If Possible): If you have control over the CA, revoke the certificate immediately to prevent further misuse.
Resources
- Certificate Transparency documentation: https://certificate-transparency.github.io/