Historical list of certificates issued for ALL users?

albek47 · May 22, 2022, 8:12pm

There used to be a way to see each domain, certificate, and iP address used to get the certificate for LE certs. I can't seem to find that link anymore. Is it still public?

Osiris · May 22, 2022, 8:14pm

You can use certificate transparancy log aggregators such as https://crt.sh/ to search for the frst two items of your list. However, the IP addresses which requested those certificates are not public and never have been. This was just an idea LE previously had (to make such information public), but has never followed through with.

9peppe · May 22, 2022, 8:26pm

Each certificate, for each user?

You know that's terabytes of data each year, right?

You can grep through the certificate transparency logs, of course, or use a service that does that for you.

albek47 · May 23, 2022, 4:38pm

I could've sworn there was something that showed the most recently issued certs by LE.

I did find the crt.sh site but that wasn't what I had found in the past. Also seems like big corps have a way of staying off of those logs if they want to.

petercooperjr · May 23, 2022, 4:54pm

There might be something you found, but there's no web interface from Let's Encrypt themselves. They do log to their own Certificate Transparency log, but you need a client specifically for reading from those logs; it's not something easily seen in a web browser (thus the aggregation of the data on other sites).

Here are the sites I know of that help one look through CT logs:

~~Google Certificate Transparency~~
crt.sh by Sectigo
Censys Certificates
Facebook Transparency Monitoring (needs a Facebook account)
Certstream
Entrust Certificate Search

There are probably others, and if you want to be comprehensive you could get them all through the CT logs directly and write your own tooling.

Well, for certificates designed for "internal use only" operation, they could configure their browsers to not need CT and not log those certificates to CT. But for any certificate designed for use with the Internet at large, they need to be logged in order for browsers to accept them. The main way to "work around" CT logging that I know of is the one could make a wildcard certificate for *.domain.example, and then since only the wildcard is listed in the certificate you can't use CT logs to find out that the only hostname actually being used is some-specific-host.domain.example. But that doesn't really hide all that much.

rg305 · May 23, 2022, 5:02pm

Seems like Goggle has moved (or removed) that site.

MikeMcQ · May 23, 2022, 5:12pm

What about using censys.io? Like

https://search.censys.io/certificates?q=parsed.issuer.organization%3A%22Let%27s+Encrypt%22

petercooperjr · May 23, 2022, 5:17pm

Hmm. Looks like that might be the case. Though it's still listed as a monitor on the "Certificate Transparency" site, which I think is also run by Google (or at least used to be):

Nummer378 · May 23, 2022, 7:42pm

Google announcent the shutdown of that tool on approx. March 23rd this year. Shutdown was on May 15th 2022.

system · June 22, 2022, 7:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.