SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Encryption

Certificate Transparency

Certificate Transparency (CT) is a public audit system that logs every SSL/TLS certificate issued by Certificate Authorities. Monitoring CT logs lets you detect certificates issued for your domain without your knowledge — a common indicator of phishing or a compromised CA.

What SecurityStatus Checks

  • Whether newly issued certificates for your domain appear in public CT logs
  • Presence of unexpected or unauthorized certificates in CT logs
  • Whether your CA is submitting certificates to CT logs (required since 2018)
  • Detection of wildcard certificates that may over-scope your domain

Why This Matters

Attackers who compromise a Certificate Authority or manipulate DNS can obtain fraudulent certificates for your domain. CT logs make this detectable because every certificate must be logged publicly. Without monitoring, a rogue certificate could be used for months before you notice.

How to Fix It

  1. 1

    Set up CT log monitoring

    Use crt.sh to search for all certificates issued for your domain. You can also use services like Facebook's Certificate Transparency Monitoring or Cert Spotter to receive email alerts when new certificates are issued.

  2. 2

    Add a CAA record to restrict issuance

    A CAA DNS record tells CAs which ones are authorised to issue certificates for your domain. Add: `yourdomain.com CAA 0 issue "letsencrypt.org"` (or your preferred CA). This prevents other CAs from issuing without your permission.

  3. 3

    Review existing certificates

    Search crt.sh for your domain and review all listed certificates. Any certificate you did not request should be investigated immediately and revoked if fraudulent.

  4. 4

    Enable alerting

    Set up automated alerts via Cert Spotter, Facebook CT Monitoring, or Google's CT transparency report so you are notified within hours of any new certificate issuance.

Frequently Asked Questions

Are CT logs required for all SSL certificates?
Yes, since April 2018, Chrome requires all new SSL certificates to be logged in CT logs or the certificate is rejected by Chrome. All major CAs comply with this requirement.
Can I see all certificates issued for my domain?
Yes. Visit crt.sh and search for your domain name. It shows all certificates that have been logged, including expired ones, along with the issuing CA and issue date.
What should I do if I find an unauthorised certificate?
Contact the CA that issued it and request revocation. File a report with your browser vendor if the issuance appears fraudulent. Then add a CAA record to prevent future unauthorised issuance.

Related Guides

critical SSL/TLS Certificate Read Guide low CAA Records Read Guide high Subdomain SSL Coverage Read Guide

Check Your Domain Now

Run all 38 security checks including Certificate Transparency and get your domain's security grade in under 2 minutes.

Scan Your Domain Free