Certificate Transparency: Monitor Logs, Ensure Online Security

Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates. When a certificate is issued, it is added to the CT log, which is a publicly verifiable and tamper-proof record of TLS/SSL certificates. CT logs are maintained by different organisations in different jurisdictions. CT monitors ensure that all logged certificates are visible in the log and watch for suspicious certificates. They can be set up and run by anyone and can be used to detect security and availability problems.

How to monitor for unauthorized, expiring, and maliciously issued SSL/TLS certificates

SSL/TLS certificates are an essential component of secure online communication. However, the process of monitoring these certificates for unauthorized, expiring, or maliciously issued certificates can be challenging. Here are some steps and tools to help you effectively monitor your SSL/TLS certificates:

• Understand the Importance of Certificate Transparency (CT): CT is a system that provides transparency and verification for the issuance of SSL/TLS certificates. It ensures that certificates are deposited in public, transparent logs, known as CT logs, which are distributed and independently maintained. These logs allow anyone to query and verify the inclusion and timing of certificates.
• Utilize Monitors and Logs: Monitors are publicly run servers that periodically check log servers for suspicious certificates. They can detect unauthorized, expiring, or maliciously issued certificates by watching for unusual extensions or permissions. Anyone can set up and run a monitor, and they can be set up as subscription services for domain owners.
• Choose a Certificate Monitoring Tool: Various tools are available to help you monitor SSL/TLS certificates. Examples include TrackSSL, Sematext, Site24x7, Datadog, UptimeRobot, ManageEngine, StatusCake, Zabbix, Dotcom-Monitor, Sucuri, LetsMonitor.org, and Updown.io. These tools offer features such as expiration monitoring, alerts, and certificate chain verification.
• Set Up Expiration Notifications: Tools like TrackSSL allow you to set up notifications for expiring certificates. You can choose how many days before the expiry date you want to receive alerts and select your preferred notification methods, such as email, SMS, Slack, or MS Teams.
• Monitor for Unauthorized Certificates: Certificate Transparency Logs give you critical visibility into the issuance of new SSL certificates for your domain. By subscribing to a CT monitor, you can receive updates when certificates for your domains are included in any of the logs checked by that monitor. This helps you detect unauthorized or maliciously issued certificates.
• Proactively Monitor Certificate Health: Services like Sectigo offer proactive monitoring for the health of your SSL certificates. They can notify you before a problem occurs, such as an unexpected expiration or unauthorized issuance.
• Verify Certificate Chains: Ensure that your certificate monitoring tool can verify the chain of trust for your SSL/TLS certificates. This includes checking the root certificate, intermediate certificates, and server certificate to ensure they are correctly linked to a trusted certificate authority (CA).
• Automate Renewal and Revocation Processes: Use tools that automate the renewal and revocation of SSL/TLS certificates. For example, KeyChest offers renewal automation with third-party CAs and Let's Encrypt management.
• Monitor Internal and Self-Signed Certificates: Some tools, like TrackSSL, now monitor internal and self-signed SSL certificates, ensuring comprehensive coverage for your organization's domain, services, and applications.

By following these steps and utilizing the recommended tools, you can effectively monitor your SSL/TLS certificates, ensuring the security and integrity of your online communications.

How to receive alerts when certificates are issued for your domains

To receive alerts when certificates are issued for your domains, you can subscribe to a Certificate Transparency (CT) monitor. CT is an ecosystem that makes the issuance of website certificates transparent and verifiable. It sits within a wider ecosystem called Web Public Key Infrastructure (Web PKI) and allows for secure, encrypted communication.

CT monitors ensure that all logged certificates are visible in the log and watch for suspicious certificates. They can be set up and run by anyone, and there are several options available, including:

• Cert Spotter: This monitor provides clear diagnostics and instructions for fixing problems, such as incorrect certificate chain installation and unauthorized certificate detection. It offers flexible notifications, allowing users to receive alerts via email, webhook, or Slack notification.
• Sectigo's Certificate Search: This monitor allows users to receive alerts via email, Facebook notification, or Webhook callback every time a certificate is issued for one of their monitored domains.
• Cloudflare's CT Monitoring: This is an opt-in feature in public beta that allows users to double-check any SSL/TLS certificates issued for their domain. Alerts are triggered whenever a certificate that covers a monitored domain is issued by a Certificate Authority (CA) and added to a public CT log.

To subscribe to a CT monitor, individuals or organizations can choose from the list of current monitors and select one that fits their needs. It is important to note that most certificate alerts are routine and do not require any action. However, if something is clearly wrong, such as an unrecognized certificate issuer or recent problems with your website, it is recommended to take appropriate action.

How to verify that a particular certificate exists in a log

Monitors are publicly run servers that can be used to verify that a particular certificate exists in a log. They are a crucial component of the Certificate Transparency (CT) ecosystem, which aims to make the issuance of website certificates transparent and verifiable.

Here's how you can use monitors to verify the existence of a particular certificate in a log:

• Subscribe to a CT Monitor: You can subscribe to a CT monitor for your domain. This way, you'll receive updates whenever pre-certificates or certificates for your domain are included in any of the logs checked by that monitor.
• Check for Notifications: Whenever a certificate is issued for one of your monitored domains, you will receive a notification. For example, you can get an email, a Facebook notification, or a Webhook callback.
• Proactively Monitor SSL Certificates: You can use monitoring tools to proactively monitor the health of your SSL certificates and endpoints. This way, you can receive notifications before any problems occur, such as unauthorized, expiring, or maliciously issued certificates.
• Search Certificate Transparency Logs: You can use certificate transparency search engines to search for specific certificates within the logs.
• Compute an Audit Proof: If you need to verify that a particular certificate exists in a log, you can use a monitor to compute an audit proof. This allows you to verify the presence of that certificate in the log.

By following these steps, you can effectively utilize monitors to verify that a particular certificate exists in a log, ensuring the security and transparency of your website certificates.

How to check the consistency of a particular log

Monitors are publicly run servers that play a crucial role in maintaining the integrity of the certificate transparency ecosystem. They periodically contact all log servers and scrutinize the certificates they contain, ensuring the absence of inconsistencies that could indicate improper log behaviour.

To verify the consistency of a particular log, a monitor computes a consistency proof, which it then employs to validate the log's consistency. A consistent later version of the log encompasses all the entries from the previous version, with new entries added sequentially. This process ensures that any alterations or discrepancies in the log will be immediately identified.

Additionally, monitors can provide proof of the existence of a specific certificate within a log by computing an audit proof. This process involves the monitor calculating an audit proof and subsequently utilizing it to confirm the presence of the certificate in question.

Monitors are instrumental in maintaining the security and reliability of the certificate transparency framework, providing efficient and swift verification of the consistency and integrity of logs.

How to detect security and availability problems

Certificate Transparency (CT) is an ecosystem that makes the issuance of website certificates transparent and verifiable. It is a distributed ecosystem that relies on independent, reliable logs that are publicly verifiable, append-only, and tamper-proof. These logs are maintained by different organisations in different jurisdictions.

Monitors are publicly run servers that periodically contact all log servers and watch for suspicious certificates. They can be set up and run by anyone, including companies, organisations, subscription services for domain owners and certificate authorities, and individuals.

To detect security and availability problems, you can use a CT monitor such as Cert Spotter, which monitors your domains for expiring, unauthorised, and invalid SSL certificates. This allows you to act before an incident occurs. For example, attackers can use ill-gotten certificates to impersonate your website and intercept data from your customers. Additionally, expired, revoked, or incorrectly installed certificates can cause browser errors that drive customers away from your website.

Cert Spotter provides clear diagnostics and instructions for fixing problems, such as providing a link to download the correct chain or providing revocation instructions if an unauthorised certificate is detected. It also offers flexible notifications, allowing you to receive alerts through email, webhook, or Slack notification.

Other features of Cert Spotter include subdomain discovery, web dashboard, expiration monitoring, installation monitoring, compliance monitoring, unknown certificate alerts, CAA monitoring, and MTA-STS monitoring.

Frequently asked questions