Certificate Transparency
What is Certificate Transparency?
Certificate TransparencyAn ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
Certificate Transparency (CT) requires public CAs to submit every issued TLS certificate to one or more append-only Merkle-tree logs, returning a Signed Certificate Timestamp that the browser can verify. The logs are openly searchable through services such as crt.sh, Censys, Cert Spotter, and Google's CT log viewer. Defenders use CT to discover their own shadow IT subdomains, detect look-alike phishing certificates, monitor for unauthorized issuance, and pivot during investigations. Threat hunters watch CT feeds for new certificates that match brand keywords or attacker patterns, often within minutes of issuance, which is faster than passive DNS or WHOIS.
● Examples
- 01
Receiving an alert when crt.sh shows a brand-new certificate for login-yourcompany-support.com.
- 02
Inventorying every subdomain a CA has issued certificates for, including ones the team forgot about.
● Frequently asked questions
What is Certificate Transparency?
An ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain. It belongs to the Defense & Operations category of cybersecurity.
What does Certificate Transparency mean?
An ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
How does Certificate Transparency work?
Certificate Transparency (CT) requires public CAs to submit every issued TLS certificate to one or more append-only Merkle-tree logs, returning a Signed Certificate Timestamp that the browser can verify. The logs are openly searchable through services such as crt.sh, Censys, Cert Spotter, and Google's CT log viewer. Defenders use CT to discover their own shadow IT subdomains, detect look-alike phishing certificates, monitor for unauthorized issuance, and pivot during investigations. Threat hunters watch CT feeds for new certificates that match brand keywords or attacker patterns, often within minutes of issuance, which is faster than passive DNS or WHOIS.
How do you defend against Certificate Transparency?
Defences for Certificate Transparency typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Certificate Transparency?
Common alternative names include: CT logs, CT.
● Related terms
- network-security№ 1090
SSL (Secure Sockets Layer)
The historical predecessor of TLS, originally developed by Netscape in the 1990s to encrypt traffic on the web and now formally deprecated.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 156
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.
- defense-ops№ 792
Passive DNS
A historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time.
- defense-ops№ 1236
WHOIS Lookup
A query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers.
● See also
- № 154Censys