Certificate Transparency (CT) Explained

Certificate Transparency (CT) is a public audit framework for TLS certificates. All publicly-trusted CAs are required to submit every certificate they issue to one or more append-only, publicly auditable CT logs. This allows domain owners, researchers, and security teams to monitor all certificates issued for their domains.

Signed Certificate Timestamps (SCTs)

When a CA submits a certificate to a CT log, the log returns a Signed Certificate Timestamp (SCT) — a cryptographic promise that the certificate will be publicly logged. The SCT is then embedded in the certificate (or delivered via the TLS handshake or OCSP stapling). Chrome and Safari require at least two SCTs from different logs before trusting a certificate.

Why CT Matters

Before CT, a misbehaving or compromised CA could issue unauthorized certificates for any domain without anyone noticing. CT makes certificate mis-issuance publicly auditable. Notable incidents that CT would have detected faster include the 2011 DigiNotar breach and several cases of CAs issuing certificates for Google domains without authorization.

CT in the Decoder

If a certificate has embedded SCTs, the decoder shows them in the Extensions section under ct_precert_scts or the TLS extension for delivered SCTs. You can also check any certificate against public CT logs using tools like crt.sh — search by domain name to see all certificates ever issued for a domain.

CT Monitoring for Domain Owners

Several free services monitor CT logs and alert you when a new certificate is issued for your domains. This is an important security control — if a certificate is issued without your knowledge, it may indicate a domain hijacking attempt or CA account compromise.