Certificate Transparency (CT) - Public Certificate Audit Log

Summary: Certificate Transparency (RFC 6962) is an open framework that records all issued TLS certificates in publicly verifiable, append-only logs. It was developed by Google to detect fraudulent or improperly issued certificates. All modern browsers require CT entries (SCTs) in certificates. For pentesters, CT is a valuable OSINT tool for subdomain discovery (crt.sh, censys.io). Organizations can use CT monitoring to detect unauthorized certificate issuances for their own domains.

Certificate Transparency solves a fundamental problem with PKI: Who verifies whether a Certificate Authority (CA) has issued a certificate for a domain? Before CT, compromised CAs (DigiNotar in 2011, Comodo in 2011) could issue certificates for any domain—such as *.google.com—without being detected. CT makes this publicly visible.

CT Architecture

Certificate Transparency Ecosystem:

Participants:
  Certificate Authorities (CAs):   DigiCert, Let&#x27;s Encrypt, Sectigo, ...
  CT Log Operators:                Google, DigiCert, Sectigo (operate logs)
  Monitor/Auditor:                 Browsers, independent auditors, companies
  Domain Owners:                    Anyone monitoring certificate issuance

Certificate Issuance Process with CT:

1. CA issues a certificate for domain.de
2. CA submits the certificate to the CT log server
3. CT log responds with a Signed Certificate Timestamp (SCT)
   → SCT = cryptographic proof: &quot;This certificate was recorded in log Y on X&quot;
4. CA embeds SCT in certificate (or OCSP stapling or TLS extension)
5. Browser checks: Does the certificate contain a valid SCT from a known log?
   → No → Certificate is rejected! (Chrome since 2018)

Append-Only Log Structure (Merkle Tree):
  → Once entered: cannot be deleted or modified!
  → Merkle Tree Hash: any change would be detected
  → Log operators cannot cheat without being detected

Important CT logs:
  Google Argon (2024):    ct.googleapis.com/logs/us1/argon2024/
  Google Xenon (2024):    ct.googleapis.com/logs/us1/xenon2024/
  DigiCert Log Server:    ct1.digicert-ct.com/log/
  Let&#x27;s Encrypt Oak:      oak.ct.letsencrypt.org/2024/
  Sectigo:                sabre.ct.comodo.com/

CT as an OSINT Tool (Subdomain Discovery)

Subdomain Discovery via Certificate Transparency:

Why CT is valuable for penetration testers:
  → EVERY public TLS certificate ends up in the CT log
  → Subdomains in SAN (Subject Alternative Names) are public!
  → New subdomains are immediately visible (even before DNS propagation)
  → Even HTTPS pages without a web presence (internal, staging) are often in CT

crt.sh - free CT search:
  # Find all certificates for *.example.com:
  https://crt.sh/?q=%25.example.com&amp;output;=json

  # API access via curl:
  curl -s &quot;https://crt.sh/?q=%25.example.com&amp;output;=json&quot; | \
    python3 -c &quot;
  import json,sys
  data = json.load(sys.stdin)
  domains = set()
  for cert in data:
      for name in cert.get(&#x27;name_value&#x27;,&#x27;&#x27;).split(&#x27;\n&#x27;):
          if name.strip():
              domains.add(name.strip().lower())
  for d in sorted(domains):
      print(d)&quot;

  Typical findings from CT:
  → api-staging.example.com
  → admin-old.example.com
  → jenkins.internal.example.com  (used to be public!)
  → dev.example.com               (often with less security!)
  → mail2.example.com             (old mail server)

Additional CT-based OSINT tools:
  subfinder (integrates CT sources):
    subfinder -d example.com -sources certspotter,crtsh -v

  amass (multi-source):
    amass enum -d example.com -src

  certspotter (Sslmate):
    # Real-time CT monitor with API:
    https://sslmate.com/certspotter/api/v1/issuances?domain=example.com&amp;include;_subdomains=true

  censys.io:
    # Advanced certificate search + Shodan-like features:
    censys search &quot;parsed.names: example.com&quot; --index=certificates

Wildcard certificates in CT:
  → *.example.com shows domain existence but not subdomains
  → Often specific subdomains alongside: api.example.com individually
  → Multi-SAN certs: one cert for 50 subdomains → all visible!

CT for Attack Surface Discovery:
  □ Find forgotten assets (old staging systems, dev endpoints)
  □ Cloud provider domains: *.s3.amazonaws.com, *.azurewebsites.net
  □ Third-party services: identify which SaaS is being used
  □ Historical certificates: Was a domain ever hosted elsewhere?

CT Monitoring for Businesses

Monitor your own domain (detect unauthorized certificates):

Scenarios to be detected:
  → Phishing domain: secure-example.com (deceptively similar!)
  → Typosquatting: exmple.com (typo in your own name)
  → Subdomain takeover: old subdomain points to a third-party server
  → Compromised CA issues a certificate for your own domain
  → Internal subdomain is accidentally made public

CertSpotter (SSLMate) - Monitoring service:
  # Free: monitor up to 5 domains
  # Alerts when a new certificate is issued for domain.com

  API integration:
  curl -s &quot;https://api.certspotter.com/v1/issuances&quot; \
    -H &quot;Authorization: Bearer API_KEY&quot; \
    --data-urlencode &quot;domain=example.com&quot; \
    --data-urlencode &quot;include_subdomains=true&quot; \
    --data-urlencode &quot;expand=issuer,cert&quot;

Facebook Certificate Transparency Monitor:
  → facebook.com/transparency
  → Email alerts for new certificates for your own domain
  → Free for any domains

Custom monitoring with the Go-CT library:
  # Certstream - Real-time CT log stream:
  pip install certstream
  certstream --domains example.com
  # → Immediately when a new certificate is issued

Important questions regarding CT monitoring:
  □ Which CAs are authorized for our domain?
     → Set CAA DNS record! (Certification Authority Authorization)
     → Only authorized CAs may issue certificates
  □ Are all found subdomains known?
     → Unknown subdomains = potential shadow IT or forgotten assets
  □ Are certificates renewed properly?
     → CT displays expiration date!

CAA Record (Certificate Authority Authorization):
  # Only Let&#x27;s Encrypt and DigiCert allowed:
  example.com. IN CAA 0 issue &quot;letsencrypt.org&quot;
  example.com. IN CAA 0 issue &quot;digicert.com&quot;
  example.com. IN CAA 0 issuewild &quot;;&quot;  ← Prohibit wildcard certificates!
  example.com. IN CAA 0 iodef &quot;mailto:security@example.com&quot;  ← Alert email

  # Verify:
  dig CAA example.com

  → If a third-party CA issues a certificate anyway → visible in CT logs!
  → Some browsers/CAs respect CAA before issuance

Security implications

CT and Data Protection:

Public nature of CT entries:
  → ALL certificates recorded in CT logs are PUBLICLY viewable
  → Includes: Domains, subdomains, issuance date, expiration date, CA
  → Also applies to:
    - Internal subdomains (if a public CA was used!)
    - Beta/staging systems
    - VPN access points (if using a public CA)

Data protection best practices:
  □ NEVER secure internal services with a public CA
     → Instead: Private CA (company-owned PKI)
     → Private CA certificates do not end up in CT logs!
  □ Subdomain scheme should not be too revealing:
     → vpn-germany-headquarters.example.com → reveals location!
  □ Only include necessary SANs in certificates

Security of the CT logs themselves:
  → Multiple independent log operators (no single point of failure)
  → Google Chrome: List of trusted CT logs
  → Log compromise: Merkle tree inconsistency immediately detectable

SCT validation by browsers:
  Chrome:  At least 2 SCTs from different logs for DV certificates
           At least 3 SCTs for EV certificates
  Safari:  Similar requirements (Apple CT Policy)
  Firefox: Still in rollout (2024+)

Consequences of missing CT:
  → Browser displays a warning or blocks the page
  → NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
  → No legitimate certificates without CT entries are possible anymore!