Certificate Transparency

A public, append-only log system that records every SSL/TLS certificate issued, so unauthorized certs can be detected.

Certificate Transparency (CT, RFC 9162 for the v2 protocol) requires Certificate Authorities to submit every certificate they issue to public, append-only logs. Chrome has enforced CT-must-be-logged for all publicly trusted certificates since April 2018, and Apple's platforms enforce similar rules; a certificate without a valid Signed Certificate Timestamp (SCT) is rejected at handshake time. The practical operator surface is crt.sh, a free search index over the major logs. Searching for a domain there reveals every cert issued for it, which is how teams spot CA mis-issuance, shadow IT, and internal subdomains leaked through certificate names. CT complements CAA: CAA restricts who may issue, CT exposes what was actually issued.

Reference

RFC 9162 (Certificate Transparency v2)
crt.sh certificate search
Google Certificate Transparency

Related terms

SSL/TLS Certificate
CAA Record
HTTPS
Certificate Authority
OCSP
ACME

Referenced on

DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution
How to Verify DNS Changes After Switching Hosting Providers
Subdomain Takeover: How Dangling DNS Records Let Attackers Hijack Your Domain

Back to the full glossary

Reference

Related terms

See also

Referenced on