Certificate Transparency Logs: How They Keep the Web Safer

Certificate Transparency (CT) is a system that makes SSL certificate issuance publicly auditable. Before CT, a Certificate Authority could issue a certificate for any domain without the domain owner ever knowing. CT changed that.

The Problem CT Solves

In 2011, DigiNotar — a Dutch CA — was compromised and issued fraudulent certificates for Google, Mozilla, and other major domains. Attackers used these to conduct man-in-the-middle attacks before the compromise was discovered. CT was designed to make this class of attack detectable immediately.

How It Works

Before a browser-trusted CA can issue a certificate, it must submit the certificate to one or more public CT logs — append-only, cryptographically verifiable records of every issued certificate. The log returns a Signed Certificate Timestamp (SCT), which is embedded in the certificate or delivered via TLS extension.

When your browser validates a certificate, it checks for SCTs. If a certificate lacks CT proof (for public CAs), Chrome and Safari reject it. This means every public certificate is logged and auditable.

What You Can Do with CT Logs

• Find all certificates for your domain — services like crt.sh index CT logs and let you search by domain name. This is useful for discovering unauthorized certificates or forgotten subdomains.
• Audit your CA — verify that your CA is only issuing what you've authorized.
• Security research — analyze certificate issuance patterns across the internet.

CT in a Decoded Certificate

When you decode a certificate with our SSL Certificate Decoder, the extensions section shows the embedded SCTs if present — including the log ID, timestamp, and signature. Each SCT proves the certificate was logged before issuance.

Who Runs CT Logs?

Google, Cloudflare, DigiCert, and others operate CT logs. Google's Argon and Xenon logs and Cloudflare's Nimbus are among the most widely used. The logs must meet strict reliability and availability requirements set by browser vendors.