Certificate Transparency Issues
What This Means
Certificate Transparency (CT) is a security framework that monitors and audits SSL/TLS certificates, making it nearly impossible for Certificate Authorities (CAs) to issue certificates for a domain without detection. CT issues can manifest as:
- Browser security warnings about missing CT logs
- Certificate validation failures in modern browsers
- Misissued certificates going undetected
- Delayed detection of compromised CAs
- Compliance violations for sensitive domains
- Trust issues with certificate authorities
Chrome, Safari, and other modern browsers require CT compliance for certificates issued after April 2018.
How to Diagnose
Check Certificate Transparency
# Check certificate CT logs
openssl s_client -connect example.com:443 -showcerts | \
openssl x509 -noout -text | grep -A 10 "CT Precertificate SCTs"
# Verify with crt.sh (certificate transparency log search)
curl "https://crt.sh/?q=example.com&output=json"
Browser DevTools
- Open Security tab in Chrome DevTools
- Check certificate details for SCT (Signed Certificate Timestamp) information
- Look for "Certificate Transparency: Yes" in certificate viewer
Online Tools
- SSL Labs - Check CT compliance
- crt.sh - Search certificate transparency logs
- Certificate Search - Monitor issued certificates
- Facebook CT Monitor - Monitor certificates for your domain
Common Issues
- Missing Signed Certificate Timestamps (SCTs)
- Certificate not logged in CT logs
- Insufficient number of SCTs (need 2+ from different logs)
- SCTs from disqualified logs
- Certificate issued without CT compliance
General Fixes
Use CT-compliant Certificate Authorities - Modern CAs (Let's Encrypt, DigiCert, etc.) automatically include SCTs
Verify SCT inclusion methods
- Embedded SCTs: Included in certificate (most common)
- TLS extension: Delivered during TLS handshake
- OCSP stapling: Included in OCSP response
Monitor certificate issuance - Set up alerts for new certificates issued for your domain
// Example: Monitor using crt.sh API const response = await fetch('https://crt.sh/?q=example.com&output=json'); const certificates = await response.json(); // Alert on unexpected certificatesUse CAA records - Specify which CAs can issue certificates for your domain
# DNS CAA record example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issuewild "letsencrypt.org" example.com. CAA 0 iodef "mailto:security@example.com"Automate certificate renewal - Use ACME clients that ensure CT compliance
# certbot example (includes CT automatically) certbot certonly --webroot -w /var/www/html -d example.comVerify before deployment - Check new certificates for CT compliance before installing
# Check SCTs in certificate file openssl x509 -in certificate.crt -noout -text | grep "CT Precertificate SCTs"Set up monitoring - Use services to detect unauthorized certificates
Implement certificate pinning cautiously - Pin to CA rather than specific certificates
Platform-Specific Guides
| Platform | Guide |
|---|---|
| Let's Encrypt | Certificate Transparency |
| DigiCert | CT Compliance |
| AWS ACM | CT Logging |
| Cloudflare | SSL Certificate Management |