Certificate Transparency Logs: How to Monitor SSL/TLS Certificates for Threat Intelligence and Subdomain Discovery

Certificate Transparency (CT) logs are public, append-only records of SSL/TLS certificates that provide a goldmine of intelligence for cybersecurity professionals. Learn how to leverage these logs for threat hunting, subdomain enumeration, and monitoring your organization's digital footprint.

In today's digital landscape, SSL/TLS certificates are everywhere – securing websites, APIs, internal services, and more. But did you know that most of these certificates are publicly logged in searchable databases? Certificate Transparency logs were created to increase accountability and security in the certificate ecosystem, but they've become invaluable tools for cybersecurity practitioners.

Whether you're a penetration tester looking for attack surfaces, a threat intelligence analyst tracking malicious infrastructure, or a security professional monitoring your organization's certificate usage, CT logs offer unprecedented visibility into the SSL/TLS certificate landscape.

Understanding Certificate Transparency Logs

Certificate Transparency is a framework designed to remedy certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, certificate authorities (CAs), and domain name system (DNS) operators.

When a certificate authority issues an SSL/TLS certificate, it's typically logged to one or more CT logs within hours. These logs contain:

• Domain names and subdomains covered by the certificate
• Certificate authority that issued the certificate
• Issuance timestamp showing when the certificate was created
• Certificate details including validity period and technical specifications
• Organization information (for validated certificates)

The beauty of CT logs lies in their public nature – anyone can query them without authentication, making them perfect for reconnaissance and monitoring activities.

Tools and Techniques for Querying CT Logs

Several online tools and command-line utilities make it easy to search Certificate Transparency logs. Let's explore the most effective methods:

Online CT Log Search Engines

crt.sh is probably the most popular CT log search engine. You can search for certificates by domain name, organization, or certificate fingerprint. The interface is simple but powerful:

• Search for example.com to find certificates for that exact domain
• Use %.example.com to find all subdomains of example.com
• Search by organization name to find all certificates issued to a company

Censys provides more advanced filtering capabilities and API access, making it excellent for automated monitoring and bulk analysis.

Command-Line Tools

For automation and integration into security workflows, command-line tools are essential. Here are some practical examples:

Using curl with crt.sh API:

# Search for all subdomains of example.com
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u

# Search for certificates issued in the last 30 days
curl -s "https://crt.sh/?q=example.com&output=json" | jq -r '.[] | select(.not_before > (now - 30*24*3600 | strftime("%Y-%m-%dT%H:%M:%S"))) | .name_value'

Using specialized tools like ctfr:

# Install ctfr
pip3 install ctfr

# Search for subdomains
ctfr -d example.com -o subdomains.txt

Python Automation

For more complex analysis, Python scripts can automate CT log monitoring:

import requests
import json
import time

def monitor_new_certificates(domain):
    url = f"https://crt.sh/?q=%.{domain}&output=json"
    
    try:
        response = requests.get(url)
        certificates = response.json()
        
        for cert in certificates:
            print(f"Domain: {cert['name_value']}")
            print(f"Issued by: {cert['issuer_name']}")
            print(f"Not before: {cert['not_before']}")
            print("---")
            
    except Exception as e:
        print(f"Error: {e}")

# Monitor certificates for your domain
monitor_new_certificates("yourdomain.com")

Practical Applications for Cybersecurity

Certificate Transparency logs serve multiple purposes in cybersecurity operations. Here's how to leverage them effectively:

Subdomain Discovery and Attack Surface Mapping

One of the most common uses of CT logs is discovering subdomains that might not be found through traditional DNS enumeration. Many organizations have internal services, staging environments, or forgotten subdomains that only become visible through certificate logs.

# Comprehensive subdomain discovery
curl -s "https://crt.sh/?q=%.target.com&output=json" | \
jq -r '.[].name_value' | \
sed 's/\*\.//g' | \
sort -u | \
grep -v "^$" > discovered_subdomains.txt

# Check which subdomains are actually reachable
while read subdomain; do
    if curl -s --connect-timeout 3 "https://$subdomain" > /dev/null; then
        echo "$subdomain is reachable"
    fi
done < discovered_subdomains.txt

Threat Intelligence and Malicious Infrastructure Tracking

Security analysts can monitor CT logs to identify suspicious certificate patterns:

• Typosquatting domains that mimic legitimate brands
• Suspicious certificate authorities or unusual issuance patterns
• Rapid certificate generation which might indicate automated malicious activity
• Certificates for known malicious domains or IP addresses

Brand Protection and Monitoring

Organizations can set up automated monitoring to detect:

• Unauthorized certificates issued for their domains
• Potential phishing sites using similar domain names
• Shadow IT services that might pose security risks
• Certificate expiration tracking for critical services

# Monitor for potential typosquatting
domain="yourcompany.com"
suspicious_patterns=("$domain" "${domain/company/compnay}" "${domain/.com/.net}")

for pattern in "${suspicious_patterns[@]}"; do
    echo "Checking pattern: $pattern"
    curl -s "https://crt.sh/?q=%.$pattern&output=json" | \
    jq -r '.[].name_value' | \
    sort -u
done

Advanced Monitoring and Alerting

To maximize the value of CT log monitoring, implement continuous surveillance rather than one-off searches. Here's how to set up effective monitoring:

Automated Monitoring Scripts

Create scripts that run periodically to check for new certificates:

#!/bin/bash
# ct-monitor.sh - Monitor for new certificates

DOMAIN="example.com"
LAST_RUN_FILE="/tmp/ct_last_run"
CURRENT_TIME=$(date +%s)

# Get timestamp from last run (default to 24 hours ago)
if [ -f "$LAST_RUN_FILE" ]; then
    LAST_RUN=$(cat "$LAST_RUN_FILE")
else
    LAST_RUN=$((CURRENT_TIME - 86400))
fi

# Query CT logs for new certificates
NEW_CERTS=$(curl -s "https://crt.sh/?q=%.$DOMAIN&output=json" | \
jq -r --arg since "$(date -d @$LAST_RUN '+%Y-%m-%d')" \
'[.[] | select(.not_before > $since)] | unique_by(.name_value) | .[].name_value')

if [ ! -z "$NEW_CERTS" ]; then
    echo "New certificates found:"
    echo "$NEW_CERTS"
    # Send alert (email, Slack, etc.)
fi

# Update last run timestamp
echo "$CURRENT_TIME" > "$LAST_RUN_FILE"

Integration with Security Tools

CT log data can be integrated into broader security monitoring workflows:

• SIEM integration: Feed certificate data into security information and event management systems
• Threat hunting: Correlate certificate issuance with other suspicious activities
• Asset management: Keep inventory of organizational certificates and their expiration dates

Best Practices and Considerations

When working with Certificate Transparency logs, keep these important points in mind:

Rate Limiting: Most CT log APIs have rate limits. Implement appropriate delays and respect these limits to avoid being blocked.

Data Lag: There can be a delay between certificate issuance and appearance in CT logs, typically ranging from minutes to hours.

False Positives: Not all certificates in CT logs represent active services. Always verify that discovered subdomains are actually reachable.

Privacy Considerations: Remember that CT logs are public. Any certificate you request will be visible to others, which might reveal information about your infrastructure.

Conclusion and Next Steps

Certificate Transparency logs represent one of the most valuable open-source intelligence resources available to cybersecurity professionals. They provide unprecedented visibility into SSL/TLS certificate issuance patterns, enabling effective subdomain discovery, threat intelligence gathering, and security monitoring.

To get started with CT log monitoring:

1. Begin with manual exploration using crt.sh to understand what certificate data is available for your targets
2. Automate your searches using the command-line techniques and scripts provided in this guide
3. Set up continuous monitoring for your organization's domains and key competitors or threat actors
4. Integrate CT log data into your existing security workflows and tools
5. Develop custom analysis based on your specific use cases and threat model

As you become more comfortable with CT logs, consider exploring advanced techniques like correlating certificate data with DNS records, analyzing certificate authority trust patterns, and building comprehensive threat intelligence feeds. The transparency that makes these logs valuable for security also makes them an essential tool in any cybersecurity professional's toolkit.