SSL Monitoring

Certificate Transparency Monitoring for Security Teams

Certificate Transparency monitoring detects unauthorized SSL certificates issued for your domains. Learn how CT logs work and how to monitor them for security.

AzMonitor TeamJuly 15, 20257 min read · 910 wordsUpdated January 20, 2026
certificate transparencyCT logsSSL securitydomain security

Certificate Transparency (CT) is a public ledger of all SSL certificates issued by trusted Certificate Authorities. Since 2018, all publicly-trusted SSL certificates must be logged in CT logs or browsers will reject them. For security teams, this transparency is a double-edged sword: it means you can monitor CT logs to detect any certificate issued for your domains — including certificates you didn't authorize.

What Certificate Transparency Is

When a CA issues a certificate, it must submit that certificate to one or more CT logs — append-only public ledgers that permanently record all issued certificates. Browsers verify that certificates are logged before trusting them.

The security benefit: If an attacker compromises a CA (this has happened multiple times) or convinces a CA to issue a fraudulent certificate for your domain, that certificate must appear in CT logs. Monitoring CT logs lets you detect this within minutes.

What CT logs contain:

  • Domain name(s) in the certificate's Common Name and SANs
  • CA that issued the certificate
  • Validity period (issued and expiry dates)
  • Certificate serial number
  • Timestamp of CT log entry

What CT logs don't contain:

  • Private keys (never shared with anyone)
  • Certificate holder's personal information beyond the domain name

How CT Monitoring Works

CT monitoring services watch the CT log streams for new certificates matching your domains:

  1. Your monitoring service subscribes to CT log streams from major log operators (Google, Cloudflare, DigiCert, etc.)
  2. New certificate entries are processed in near-real-time (typically within minutes of issuance)
  3. When a certificate is found matching your domains, you're notified immediately
  4. You review the notification: was this certificate expected? If not, investigate immediately.

Setting Up CT Monitoring

Using crt.sh for Manual Monitoring

The crt.sh website indexes CT logs and provides a search API:

# Find all certificates issued for your domain
curl -s "https://crt.sh/?q=%.yoursite.com&output=json" | \
  jq '.[] | {id: .id, not_before: .not_before, not_after: .not_after, name_value: .name_value}'

# Output includes every certificate ever issued for yoursite.com and its subdomains

This is useful for ad-hoc investigation but isn't real-time monitoring.

Automated CT Monitoring with certspotter

certspotter by SSLMate monitors CT logs and notifies you of new certificates:

# Install certspotter
go install software.sslmate.com/src/certspotter/cmd/certspotter@latest

# Add domain to watch
certspotter add yoursite.com

# Run (or set up as systemd service)
certspotter -watchlist domains.txt -script notify.sh

CT Monitoring via AzMonitor

AzMonitor's SSL monitoring includes CT log scanning as part of its certificate monitoring service. Configure domains to watch:

ct_monitoring:
  domains:
    - "yoursite.com"
    - "*.yoursite.com"
    - "yourcompany.com"
    - "*.yourcompany.com"
  alert_on_new_certificate: true
  alert_channels: [security-team, slack]
  allowlist:
    - issuer: "Let's Encrypt"
      domains: ["yoursite.com", "www.yoursite.com", "api.yoursite.com"]
    - issuer: "DigiCert"
      domains: ["yoursite.com"]

Configure an allowlist of expected certificate issuers and domains so you're only alerted on unexpected certificates.

What to Watch For in CT Monitoring

Unauthorized Certificates

Any certificate issued for your domain by a CA you didn't authorize is a potential security incident:

ALERT: New certificate for yoursite.com
Issuer: Comodo CA
Issued: 2025-11-15 03:42:00 UTC
Valid until: 2026-11-15
Subject Alternative Names: yoursite.com, www.yoursite.com, login.yoursite.com

Expected issuer: Let's Encrypt
ACTION REQUIRED: Investigate immediately

If you use Let's Encrypt exclusively but see a certificate from Comodo, investigate whether:

  • Someone on your team issued a commercial certificate (coordinate)
  • A subdomain is served by a third-party that uses their own certificate
  • A fraudulent certificate was issued by a compromised CA

Certificates for Unexpected Subdomains

CT monitoring often reveals subdomains you didn't know were externally accessible:

New certificate issued for:
staging.yoursite.com
dev.yoursite.com
old-api.yoursite.com  ← Was this decommissioned?
internal-admin.yoursite.com  ← Should this be public?

Each of these might be legitimate or might represent shadow IT or misconfiguration.

Certificate Issuance from Wrong CA

Organizations with approved CA lists as part of their security policy should alert when a certificate is issued from an unapproved CA — even if the domain and content are legitimate.

Wildcard Certificate Issuance

Wildcard certificates (*.yoursite.com) are high-value targets because they cover all subdomains. Alert specifically on new wildcard certificate issuance:

CRITICAL ALERT: New wildcard certificate issued
Certificate: *.yoursite.com
Issuer: Unknown CA
Issued by: Unknown entity

This certificate could be used to impersonate any subdomain of yoursite.com

Responding to Unauthorized Certificates

If CT monitoring alerts you to a certificate you didn't authorize:

  1. Verify with your team — Did anyone legitimately issue this certificate?
  2. Identify the issuing CA — Contact them immediately with evidence of unauthorized issuance
  3. Request revocation — Most CAs will revoke fraudulent certificates within hours when presented with proof of ownership
  4. Investigate the breach — How was the domain validated without your knowledge? Audit CA account access.
  5. Check for active use — Is the fraudulent certificate actually being used? Monitor DNS and traffic for the affected domain.
  6. Report to trust store operators — In severe cases (CA compromise), report to Google, Mozilla, and Apple to have the CA's certificates distrusted

CT Monitoring as Part of Your Security Program

Certificate Transparency monitoring is most valuable as part of a broader domain security program:

  • CT monitoring — Detect unauthorized certificate issuance
  • DNS monitoring — Detect unauthorized DNS record changes
  • SSL/TLS monitoring — Validate certificate validity and configuration
  • Domain lock — Prevent unauthorized domain transfers

Set up CT monitoring with AzMonitor alongside SSL certificate monitoring for comprehensive domain security. See also SSL certificate monitoring for the full certificate management picture.

Tags:certificate transparencyCT logsSSL securitydomain security
Back to blog
A
AzMonitor Team
The AzMonitor team writes guides based on experience monitoring millions of endpoints daily across 10,000+ customer environments. Our expertise covers uptime monitoring, SRE practices, and reliability engineering.
Try AzMonitor free

3 monitors free forever · No credit card needed · Set up in 2 minutes

Start monitoring free →

Related articles

SSL Monitoring
7 min

SSL Certificate Renewal: Automating with Let's Encrypt

Automate SSL certificate renewal with Let's Encrypt and Certbot. Set up automatic renewal, validate it works, and monitor for renewal failures.

October 30, 2025Read more
SSL Monitoring
7 min

Best SSL Certificate Monitoring Tools in 2026

Compare the best SSL certificate monitoring tools in 2026. Find the right tool for your needs based on features, pricing, alert options, and multi-domain support.

September 20, 2025Read more
SSL Monitoring
6 min

Wildcard SSL Certificate Monitoring Best Practices

Wildcard SSL certificate monitoring requires special considerations. Learn to monitor all subdomains, manage single points of failure, and plan renewals carefully.

August 20, 2025Read more