Today I learned that every time you issue an SSL certificate for a domain, it gets publicly logged in what is called Certificate Transparency (CT) logs.
It was created by Google in 2013, following the DigiNotar incident (and others), where that Certificate Authority (CA) was hacked, and ended up issuing a number of fraudulent certificates with the aim of enabling man-in-the-middle attacks.
The idea of Certificate Transparency (CT) is to enable monitoring and auditing of Certificate Authorities by publishing all of the certificates that are issued into public append-only logs. That way, any issue with a compromised CA can be detected quickly, and remediated.
These logs can be viewed on platforms such as crt.sh. (I was aware of platforms like Censys listing certificates and domains before, and naively thought that they were just crawling the web and such to get them 😅)
Software such as Mozilla Firefox and Google Chrome then refuse certificates that are not part of the CT Logs, using the Signed Certificate Timestamp (SCT).
Typically, Certificate Authorities will contact a log provider, receive an SCT from it, and then embed that signature in the certificate, enabling software to check the signature against a list of trusted CT logs, without needing to query the logs at browse-time.
For example, for my domain name, we can query that information from the certificate as follows.
$ echo | openssl s_client -connect ixonae.com:443 2>/dev/null | openssl x509 -noout -text | grep -A 20 "SCT"
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 96:97:64:BF:55:58:97:AD:F7:43:87:68:37:08:42:77:
E9:F0:3A:D5:F6:A4:F3:36:6E:46:A4:3F:0F:CA:A9:C6
Timestamp : Feb 10 20:26:14.687 2026 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DB:E7:79:00:09:79:4F:B3:D6:0B:BA:
0B:E9:3F:BF:AB:CF:DF:78:3E:D0:71:B0:F3:C7:48:26:
57:8B:8C:A1:91:02:21:00:DE:9B:CA:E5:25:48:DE:DA:
25:78:B9:98:96:47:A4:AD:FA:65:C5:9F:47:68:8E:BD:
1F:28:9C:85:BC:EF:FE:CC
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 49:9C:9B:69:DE:1D:7C:EC:FC:36:DE:CD:87:64:A6:B8:
5B:AF:0A:87:80:19:D1:55:52:FB:E9:EB:29:DD:F8:C3
Timestamp : Feb 10 20:26:14.652 2026 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:B9:D9:26:BC:F4:BA:6F:E5:20:5A:4A:Note that there isn’t a single log, but multiple ones. Typically only a set of trusted ones will be included in browsers through trusted log programs.
Extra Resources
- Introducing Certificate Transparency and Nimbus (Cloudflare)
- Certificate Transparency - How it Works (transparency.dev)
- List of Monitors (transparency.dev)
- RFC 6962 - Certificate Transparency