CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Certificate Transparency Logs

cryptography Advanced

Also Known As

CT logs Certificate Transparency crt.sh CAA record

TL;DR

Public append-only logs of all issued TLS certificates — enabling detection of misissuance and rogue certificates within hours rather than months.

Explanation

Certificate Transparency (RFC 6962) requires CAs to log every issued certificate to public append-only logs before it can be trusted by browsers. Chrome has required CT since 2018. Benefits: detect rogue certificates (if an attacker gets a certificate for your domain from a compromised CA, CT logs reveal it), monitor your domain for unexpected certificates via crt.sh, and hold CAs accountable. CAA DNS records restrict which CAs can issue for your domain, adding a prevention layer alongside CT's detection.

Common Misconception

Certificate Transparency prevents certificate misissuance — CT logs detect misissuance after the fact and enable rapid response; CAA DNS records provide prevention.

Why It Matters

Without CT logs, a CA could issue a certificate for your domain to an attacker and nobody would know for months — CT makes all certificates publicly auditable within seconds of issuance.

Common Mistakes

  • Not monitoring CT logs for your domain — rogue certs go unnoticed
  • No CAA DNS record — any CA can issue for your domain without restriction
  • Not checking CT logs when deploying new domains
  • Assuming HTTPS means no MitM — a rogue cert + HTTPS interception is undetectable without CT monitoring

Code Examples

✗ Vulnerable 
// No CT monitoring:
// 2024: attacker compromises a CA, gets cert for company.com
// CT log records it immediately — but company has no monitoring
// Attack runs for 12 months before discovered in incident response
✓ Fixed 
# CAA DNS record — restrict which CAs can issue:
# company.com. CAA 0 issue "letsencrypt.org"
# Only Let's Encrypt can issue for company.com

# Monitor CT logs via crt.sh API:
# curl 'https://crt.sh/?q=company.com&output=json' | jq '.[].name_value'
# Or subscribe to Cert Spotter for email alerts on new issuance
Added 16 Mar 2026
Edited 22 Mar 2026
Views 22

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 4 Unknown AI 2 Ahrefs 2 Google 1
Also referenced
Encryption in Transit 32 SSL/TLS Certificate Types 20 TLS Handshake 18
How they use it
crawler 15
Related categories
networking 497 cryptography 411
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Monitor crt.sh for certificates issued for your domains — any certificate you didn't request is a sign of compromise or mis-issuance
📦 Applies To
any web
🔗 Prerequisites
🔍 Detection Hints
No certificate monitoring; domain without CAA record limiting which CAs can issue; unexpected certificates on crt.sh
Auto-detectable: ✓ Yes crt.sh certspotter ssl-labs
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-295
✓ schema.org compliant