Certificate transparency (CT logs)
Public append-only logs of every TLS certificate issued by trusted CAs. Browsers refuse certs that aren't in CT logs. Lets you find every cert issued for your domain.
Certificate Transparency (CT) is a system where every cert a trusted CA issues gets logged to a public, append-only log. The logs are operated by Google, Cloudflare, DigiCert, and others; anyone can search them.
Why CT exists
To make rogue cert issuance impossible to hide. Before CT, a compromised or misbehaving CA could issue a cert for your domain to an attacker without you ever knowing. With CT, every cert ends up in a public log within hours, and you can monitor those logs for unexpected entries.
Since 2018, Chrome (and most other browsers) refuse to trust any cert that isn't logged in CT. So no cert escapes the public record.
How to search CT
Free tools:
- crt.sh — the de facto search interface.
https://crt.sh/?q=example.comshows every cert ever issued for example.com. - Censys — broader internet asset search, includes CT.
- Cert Spotter (sslmate.com) — alerts on new certs for your domains.
Run curl 'https://crt.sh/?q=example.com&output=json' and parse the JSON to integrate into your own monitoring.
What this gives a SaaS operator
Asset discovery. Searching crt.sh for *.yourapp.com shows every subdomain anyone has issued a cert for, including shadow IT or forgotten staging environments.
Threat detection. If a cert appears for acme.com from a CA you don't use, that's a signal someone else issued it. Investigate.
Compliance. SOC 2 / ISO 27001 audits sometimes ask "how do you know all the certs in your environment?" CT search is part of the answer.
What CT doesn't do
- Doesn't prevent rogue issuance, just makes it visible after the fact.
- Doesn't include private CA certs (corporate-internal CAs are off the public log).
- Doesn't help if you don't actually monitor the logs.