-
Notifications
You must be signed in to change notification settings - Fork 8
Certificate Transparency
NeySlim edited this page Apr 9, 2026
·
1 revision
Certificate Transparency (CT) is a framework defined in RFC 6962 that provides an open, auditable log of all issued TLS/SSL certificates. CT helps detect misissued or rogue certificates.
CT works by requiring Certificate Authorities to submit certificates (or pre-certificates) to public CT logs before or after issuance. The logs return Signed Certificate Timestamps (SCTs) that prove the certificate was logged.
UCM displays SCT information when present in certificates:
-
Embedded SCTs — SCTs included in the certificate's
SignedCertificateTimestampListextension (OID1.3.6.1.4.1.11129.2.4.2) - Certificate detail view — Shows CT log entries and timestamps when SCT data is available
- Discovery — Identifies certificates with or without SCT extensions during network scanning
When viewing certificate details, UCM parses and displays:
- CT log operator name (if recognized)
- SCT timestamp
- SCT signature algorithm
- Log ID (SHA-256 hash of the log's public key)
- Transparency — All publicly trusted certificates are logged and auditable
- Detection — Domain owners can monitor logs for unauthorized certificates
- Accountability — CAs that misissue certificates can be identified
- Browser requirements — Chrome, Safari, and other browsers require SCTs for trusted certificates
| Browser | CT Required | SCTs Needed |
|---|---|---|
| Chrome | Yes (since 2018) | 2-3 SCTs from independent logs |
| Safari | Yes (since 2021) | 2 SCTs from once/currently qualified logs |
| Firefox | No (planned) | N/A |
CT is primarily relevant for publicly trusted certificates. For internal/private PKI:
- Internal CAs are not required to log to public CT logs
- Private CT logs can be deployed for internal audit purposes
- UCM can issue certificates without SCTs for internal use
- crt.sh — Search CT logs for certificates issued to your domains
- Google CT Dashboard — Google's CT log statistics
- Facebook CT Monitor — Alerts for new certificates
To detect unauthorized certificate issuance for your domains:
- Visit crt.sh and search for your domain
- Set up alerts via services like Cert Spotter or Facebook CT Monitor
- Review alerts for any unexpected certificates
- Certificate Operations — Managing certificates
- Certificate Discovery — Discovering certificates on your network
- RFC 6962 — Certificate Transparency specification
- RFC 9162 — Certificate Transparency Version 2.0