Certificate Transparency (CT) Logs
Location
Public CT log servers (crt.sh, Google Argon, Cloudflare Nimbus) or CT monitoring services (Censys, CertStream)Description
Public append-only logs recording all TLS/SSL certificates issued by participating Certificate Authorities. Searchable by domain name, providing a complete issuance history for any domain with certificate details, validity period, and issuing CA.
Forensic Value
CT logs detect fraudulently issued certificates for organizational domains that could enable man-in-the-middle attacks. Monitoring CT logs proactively reveals when attackers obtain certificates for lookalike phishing domains (typosquatting) before attacks begin. During incident response, CT log searches identify all certificates issued for compromised domains, including wildcard certs that may have been issued to attacker-controlled infrastructure. Historical certificate issuance timelines help establish when attacker infrastructure was prepared.
Tools Required
Collection Commands
crt.sh
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq '.[0:100] | .[] | {name_value, issuer_name, not_before, not_after}' > ct_certs.jsonopenssl
echo | openssl s_client -connect suspicious-domain.com:443 -servername suspicious-domain.com 2>/dev/null | openssl x509 -noout -text > cert_details.txt
CertStream
python3 -c "import certstream; certstream.listen_for_events(lambda msg,ctx: print(msg['data']['leaf_cert']['subject']['CN']) if 'example' in str(msg.get('data',{}).get('leaf_cert',{}).get('subject',{}).get('CN','')) else None, url='wss://certstream.calidog.io')"