Certificate Transparency Logs

Due to the ever increasing list of network compromises, securing our online presence has become more crucial than ever. One way to ensure online security is to use SSL/TLS certificates, which encrypt data transmissions between servers and clients, making them unreadable to any third-party. However, these certificates can be compromised, causing severe security breaches. This was seen back in 2011 with certificate authorities Comodo & DigiNotar. Read more here. There have been around 10 CA compromises in the last 3 – 4 years. Still a rare issue but one that needs consideration. That is where Certificate Transparency comes in, which is an open framework for monitoring SSL/TLS certificates.

Certificate Transparency (CT) logging started in earnest in 2013 by Google as a way to detect and prevent fraudulent SSL/TLS certificates. More details found here. The plan was to have CT logs recorded for all certificates for a domain. This would make it easy to track which certificates have been issued and by whom. By default, SSL/TLS certificates are validated against the Certificate Authority (CA) root certificates that come with your browser or operating system, but by using CT, you can monitor all certificates issued for your domain and not just the ones issued by trusted CAs.

One of the easiest ways to monitor your certificates is to use the website crt.sh, which is a publicly available CT log viewer. Simply enter your domain name in the search box, and it will display all the certificates issued for that domain, along with information about the issuer and the certificate’s validity. This information can help you detect any unauthorized certificates that have been issued for your domain.

Unfortunately, checking the crt.sh website manually can be time-consuming and a task nobody wants to do manually every day. A better way to monitor your certificates is to script the process and set up email notifications to alert you whenever a new certificate is issued for your domain. You can use the curl command that is usually installed by default in Linux to pull down the json data and parse it using jq. You might have to apt/yum install jq on your system. The following command is monitoring the domain london.ac.uk and emailing the results to admin@networklogician.com.

# curl -s https://crt.sh/\?q\=london.ac.uk\&exclude=expired\&output\=json | jq . | jq -r '"Entry_Timestamp",(.[] | "\(.entry_timestamp)\t\(.issuer_name)\t\(.name_value)" | gsub("\t";" | ") | gsub("\n";","))' | column -t -s $'\t' | mail -s "Certificate Transparency Log - london.ac.uk" admin@networklogician.com

Here is a breakdown of what the command does:

  • curl -s https://crt.sh/\?q\=london.ac.uk\&exclude=expired\&output\=json retrieves a JSON list of all the certificates issued for the domain london.ac.uk, excluding any expired certificates.
  • jq . formats the JSON output.
  • jq -r ‘”Entry_Timestamp”,(.[] | “\(.entry_timestamp)\t\(.issuer_name)\t\(.name_value)” | gsub(“\t”;” | “) | gsub(“\n”;”,”)’ selects the relevant fields from the JSON output and converts them into a readable format.
  • column -t -s $’\t’ formats the output into tabbed columns.
  • mail -s “Certificate Transparency Log – london.ac.uk” admin@networklogician.com sends the formatted output in an email to the specified email address.

By running this command periodically, you can monitor all the certificates issued for your domain and you will be notified whenever a new certificate is issued. This can help you detect any unauthorized certificates and take action to prevent any security breaches. For a large organization, you might want to consider something like certspotter. However, most companies could script this on their own using bash. The simple script below could be a starting point and added to cron to run once a day. The following script assumes you ran the previous command and saved the results in /tmp/ctlog and will pull down the new results and compare with the previous day and email an alert if anything changes.


# Get latest results on certificates
new_results=$(curl -s "https://crt.sh/?q=%.london.ac.uk&output=json" | jq . | jq -r '"Entry_Timestamp",(.[] | "\(.entry_timestamp)\t\(.issuer_name)\t\(.common_name)" | gsub("\t";" | ") | gsub("\n";","))')

# Save results in new location 
echo "$new_results" > /tmp/ctlog.new

# Compare with previous /tmp/ctlog report
changes=$(sdiff -w 200 -s /tmp/ctlog.new /tmp/ctlog)

# If changes is not empty, email results to admin
if [[ ! -z "$changes" ]]; then
   echo -e "$changes" | mail -s "Alert: Certificate Transparency Log Changes for london.ac.uk" admin@networklogician.com

Note: Since this event should not occur often, the /tmp/ctlog file is not overwritten. This way the admin will continue to receive the alert until it is verified and the updated results manually copied.

You can review RFC 9162 for more details.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s