Certificate Transparency (CT) and SCTs Explained
Certificate Transparency is a public, append-only logging system for TLS certificates. Every certificate a CA issues is recorded in independent CT logs, so anyone can audit what has been issued for a domain — including certificates issued in error or by a compromised CA.
Why it matters
Before CT, a mis-issued certificate for your domain could go unnoticed. Now, because browsers require proof of logging, you can monitor CT to detect unauthorized certificates for your brand within hours.
SCTs: the proof of logging
A Signed Certificate Timestamp (SCT) is a signed promise from a CT log that it has recorded the certificate. Browsers (Chrome, Safari) require a certificate to carry SCTs — typically two or more from different logs — or they show an error. SCTs can be delivered three ways:
| Delivery | Where |
|---|---|
| Embedded | inside the certificate (most common) |
| TLS extension | in the handshake |
| OCSP stapling | in the stapled OCSP response |
Monitor your domain
Search what has been issued for your domain at crt.sh (e.g. https://crt.sh/?q=example.com). Set up CT monitoring/alerts so a surprise certificate triggers an investigation. Our SSL/TLS checker shows the negotiated certificate; combine it with CT monitoring for full visibility. Background: the certificate chain.
Note: CT also reveals internal hostnames if you put them in public certificates. Use wildcard certs or a private CA for internal names you don't want logged publicly.