Back to Learning Center
DNS Security

Certificate Transparency: How CT Logs Protect Your Domain

7 min read
Updated May 2026By CertNotify Team

Certificate Transparency (CT) is an open framework for monitoring and auditing SSL/TLS certificates. Since 2018, Google Chrome requires all TLS certificates to appear in public CT logs — or the browser will reject them. Understanding CT helps you detect unauthorised certificates issued for your domain before attackers can exploit them.

Why Certificate Transparency Was Created

Before CT, Certificate Authorities could issue certificates for any domain without that domain's owner knowing. This created opportunities for both malicious actors and compromised CAs to issue fraudulent certificates.

The turning point was the 2011 DigiNotar hack, where attackers breached a Dutch CA and issued fraudulent certificates for Google, Mozilla, Twitter, and over 500 other domains. These certificates were used to intercept Iranian users' HTTPS traffic for weeks before detection. At the time, there was no mechanism for domain owners to discover these certificates.

Google proposed Certificate Transparency in 2012 (RFC 6962). The core idea: every SSL certificate issued must be logged in a public, append-only, cryptographically verifiable database. This makes it impossible for a CA to issue a certificate secretly.

How CT Logs Work

1

CA submits certificate to CT log

When a CA issues a certificate, it must submit it to at least one publicly trusted CT log server before or at the time of issuance. Most CAs now submit to multiple logs simultaneously.

2

Log server returns a Signed Certificate Timestamp (SCT)

The CT log server cryptographically signs a promise to include the certificate in its log. This SCT is embedded in the certificate itself, included via OCSP stapling, or added via a TLS extension.

3

Browser verifies SCT

When Chrome, Safari, or Firefox connects to your site, it checks that valid SCTs are present. Without them (since 2018 for Chrome), the connection is rejected with an "ERR_CERTIFICATE_TRANSPARENCY_REQUIRED" error.

4

Public log is auditable

Anyone can query CT logs to find all certificates issued for any domain. Log entries are permanently preserved — even revoked certificates remain in the log.

Searching CT Logs for Your Domain

You can search CT logs to find every certificate ever issued for your domain using public tools:

crt.sh

The most widely used CT log search tool. Search by domain, organisation, or certificate fingerprint. Free, maintained by Sectigo.

Google Transparency Report

Google's own CT log search covering their Argon and Xenon log servers.

Censys

Advanced internet scan data including CT log certificates. Has a free tier with limited queries.

Facebook CT Monitor

Facebook's monitor sends email alerts when new certificates are issued for your domain.

# Query crt.sh via API

# Find all certificates for a domain
curl "https://crt.sh/?q=%.yourdomain.com&output=json" | \
  jq '.[].name_value' | sort | uniq

# Find certs issued in last 7 days
curl "https://crt.sh/?q=yourdomain.com&output=json" | \
  jq '[.[] | select(.not_before > (now - 604800 | todate))] | length'

What to Look For in CT Logs

Regularly auditing CT logs for your domains lets you detect:

Unauthorised certificates

A certificate issued for your domain from a CA you did not use — could indicate domain validation bypass or a compromised registrar account.

Unexpected wildcard certificates

A *.yourdomain.com certificate you didn't issue gives an attacker the ability to impersonate any subdomain with a valid certificate.

Certificates with unexpected SANs

A certificate covering your domain plus other domains could indicate supply chain compromise or misconfiguration.

Certificates for subdomains you don't control

Subdomains you've deleted or abandoned appearing in CT logs indicates dangling DNS records that may be at risk of subdomain takeover.

Automating CT Log Monitoring

Manual CT log searches are not practical at scale. Automate CT monitoring using:

certstream — a real-time stream of all new CT log entries as a WebSocket feed (free, open source)
Facebook CT Monitor — sends email alerts for new certificates on your domains (free)
crtsh-notify — a simple open-source script that polls crt.sh and sends Slack/email alerts
CertNotify Certificate Transparency monitoring — built into the dashboard for all monitored domains

Monitor CT logs for your domains automatically

CertNotify's Pro plan includes Certificate Transparency monitoring — get alerted the moment a new certificate is issued for any of your monitored domains, whether by you or anyone else.

Start monitoring →