What is certificate transparency CT? How to query CT logs certificate logs?

The defects in the current digital certificate management system make it increasingly obvious that fraudulent certificates lead to security problems and privacy disclosure risks . To address this issue , Certificate transparency CT emerge as the times require . As an aid to the certificate ecosystem ,CT requirement CA Publish every digital certificate it issues to the certificate log , And monitor it 、 Audit , To ensure that the certificate transparency mechanism works correctly and effectively , So as to alleviate the wrong issuance of certificates , Reduce security issues and privacy breaches .

What is certificate transparency CT？

Certificate Transparency abbreviation CT, Chinese name ： Certificate transparency , It is used to record and monitor SSL Certificate issuing system , The purpose is to monitor CA Or other malicious people forge server certificates . Because of each big CA Trusted by all browsers , Any one of them has the right to issue certificates for your domain name , If these certificates are malicious , Your browser will also trust it unconditionally .

Symantec was in Google Unknowingly, it is Google The domain name of has issued a pre signed certificate valid for one day ,CA The abuse of rights or wrongly used to issue forged digital certificates will put users' privacy at risk . therefore ,CT by SSL Certificate trust provides additional security , Let the client not just trust CA, But let users or enterprises pass at any time CT Query and monitor who has signed for their domain name SSL certificate , To ensure the legitimacy of the certificate .

（ Certificate tips that are not recorded in the certificate log ）

Certificate transparency CT How to work ？

The certificate transparency mechanism works through the following three components ：

1. CT Logs Certificate log server Keep the issuing records of all certificates , Anyone can query or verify whether the issued digital certificate has been properly recorded in the log . Certificate log includes expired 、 Not yet in force 、 A certificate that has been revoked or is not otherwise fully valid . Anyone can add a certificate to the log , But it's usually CA Add certificate log to the organization . The certificate log can only be added , Cannot modify or delete .
2. Monitors The monitor Regularly monitor the log server for abnormal behavior and suspicious certificates , If a fake certificate is found , You can quickly communicate with CA Institutional contact , Revoke illegal certificate .
3. Auditors Audit Used to verify the integrity of the certificate log , The certificate log can be checked regularly to ensure its normal operation , If the log does not work properly , It may be turned off .

The above three components work together , To ensure that the certificate transparency mechanism works correctly and effectively .

（ Operation mechanism diagram of certificate transparency ）

CT Logs What are the benefits of certificate logging ？

1. early detection . Use SSL The certificate issuance log query can help you query unauthorized certificates within a few hours , It doesn't take days or weeks . The domain name owner can also query any certificate issued without approval , So as to avoid misissuance of certificates caused by human error or counterfeiting .
2. More secure .

because CT Only certificate records can be added to the log , Old records cannot be modified or deleted , This helps prevent tampering problems .

Any domain name owner can verify in the log query that the certificate is trusted by CA Issued or issued maliciously , Prevent users from being cheated by any fraudulent certificates .

In addition to the domain name owner , Any interested person can view these certificates , This can promote certification authorities to be more responsible when issuing certificates , Strengthen the chain of trust .

If the certificate of the website visited by the user is not recorded CT In the log , The browser will not display security links and display security lock icons , This also makes users' online browsing more secure .

3. Query certificate validity . Use SSL The certificate issuance log query can identify 、 Monitor which certificates are about to expire or need to be revoked , So that enterprises can communicate with CA Or contact the service provider , Avoid unnecessary losses caused by certificate expiration .
4. Query certificate and issuer information . In addition to checking the validity period of the certificate , You can go to CT View the domain name certificate issuer in the log 、 Subdomain coverage 、 History of all previous certificates and other important details .

How to query CT logs Certificate log ？

You can use free CT Log query tool , Give users a way to find all digital certificates issued by a given domain name . The method is as follows ：

1. Open the website , Navigate the mouse to SSL certificate , On the right side of the SSL Click... In the toolbar SSL Certificate issuance log query .
   

（SSL Query location of certificate issuance log ）
2. Input domain name or Company name , You can query the domain name or all issued by the enterprise SSL Certificate log .

（ Enter the domain name to query SSL Certificate issuance log ）

Conclusion

Certificate transparency CT Is a major improvement in the security industry , To record 、 monitoring 、 to examine SSL Digital certificate is of great significance . Reputable CA Will ensure that each certificate is added to the record in CT logs In the log , So please choose authority and credibility CA Issued by the SSL Certificates protect your website .

This article is reproduced in https://www.racent.com/blog/certificate-transparency-and-ct-logs