Certificate Transparency

CT logs.

Overview

Certificate Transparency (CT) is a public auditing system for TLS certificates. Every certificate issued by a participating CA is logged to append-only CT logs; anyone can monitor the logs for unexpected issuances against their domains.

• Public, append-only logs. CAs submit issued certificates to CT logs. Append-only means certificates cannot be removed; the audit trail is immutable and verifiable.
• Domain monitoring plus browser enforcement. Domain owners monitor CT logs for their domains; modern browsers require CT proof on new certificates. Rogue or compromised CAs are caught at issuance time, and certificates without CT proof are rejected at the edge.
• Open ecosystem. CT logs are operated by multiple independent parties. Decentralised by design; no single operator can hide issuances or quietly revise the record.
• Tooling. crt.sh, Censys, and Cert Spotter let teams query and monitor logs. The discipline is operational, not theoretical; the cost of entry is a free email subscription.

The approach

The practical approach is monitor-and-alert. Teams subscribe to CT log feeds for their domains; alerts fire on unexpected issuance and the response runs from a written runbook rather than improvisation.

• Subscribe to CT feeds. Cert Spotter or equivalent CT monitoring delivers alerts per domain. The team's domains are monitored; the discipline is automated rather than depending on a quarterly review.
• Alert on unexpected issuance. Certificates issued for the team's domains by unexpected CAs trigger alerts. Investigation begins immediately; the response window for revocation and rotation is short.
• Inventory CAs plus CAA records. Maintain an authorised CA list (Let's Encrypt, DigiCert, AWS ACM, internal CA). Pair with DNS CAA records that constrain which CAs can issue for the domain; CT and CAA together produce defence in depth.
• Document the response. Runbook covers investigate, revoke, rotate, and report per unexpected-issuance event. New on-call engineers respond from the runbook rather than asking around.

Why this compounds

The benefits compound over time. Each year of CT monitoring catches issuance the team would not otherwise know about; the discipline becomes part of the security posture rather than a project.

• Detection of CA compromise. Compromised or misbehaving CAs have been caught via CT (DigiNotar, Symantec). Monitoring contributes to global ecosystem health rather than just local detection.
• Detection of insider issuance. Internal employees issuing unauthorised certificates are caught at issuance. The audit trail is complete; insider misuse becomes detectable rather than relying on goodwill.
• Compliance evidence. CT monitoring is evidence of due diligence. Auditors are satisfied; the discipline supports compliance reviews without ad-hoc evidence collection.
• Trust in the ecosystem plus compounding habit. Monitoring contributes to the security commons. Year one sets up monitoring and response; year two onwards the patterns are reflexive and the runbook tightens.

Certificate Transparency is one of those security practices that pays off over years of operation. Nova AI Ops integrates with security tooling, surfaces patterns across infrastructure, and supports the team's TLS hygiene discipline.