I want to create a certificate transparency server

syuu_22397 · September 17, 2020, 8:20am

I’m thinking of creating a certificate transparency server.
I’m thinking of making the OS with CentOS or Debian.
How do I create a detailed certificate transparency server?

griffin · September 17, 2020, 8:23am

Not exactly sure. What’s your goal compared to something like https://crt.sh?

syuu_22397 · September 17, 2020, 8:31am

I create a certificate transparency server and publish it for myself.
It may not make much sense, but I’m thinking about that.
In terms of functionality, I would like to create something similar to https://crt.sh.

JuergenAuer · September 17, 2020, 8:34am

Hi @syuu_22397

then this forum is the wrong place.

That's not a Letsencrypt relevant question.

Thanks!

syuu_22397 · September 17, 2020, 8:38am

When I saw that Let’s Encrypt was used to create a certificate transparency server, I thought it was related to Let’s Encrypt.
excuse me.

JuergenAuer · September 17, 2020, 8:58am

Letsencrypt doesn't run something like crt.sh.

crt.sh is a Certificate monitor, that checks certificate logs.

Letsencrypt runs an own certificate log. But who should fill your (private) certificate log?

PS: "Certificate transparency server" isn't defined.

_az · September 17, 2020, 9:24am

I have a little bit of experience making my own log aggregator, similar to crt.sh.

It requires an enormous amount of disk space and bandwidth, to say the least. I don’t actually store the certificates, just the domain names, and the date when I first observed them. Otherwise, I would easily go broke paying for the infrastructure.

The basic principle is:

Download https://www.gstatic.com/ct/log_list/log_list.json
For each active log in that list, use an RFC6962 client to scan the entire log, and copy each DER-encoded certificate, along with any data you want to index, into your database.
Every few minutes or so, check each log whether there have been any new entries. If so, scan the log again, starting from the index you scanned upto last time.
You’re done! Make a web frontend to query your database.

I used https://github.com/google/certificate-transparency-go to help me, but there’s probably some other options. I noticed it’s quite CPU-intensive for some reason, but I didn’t really look into why, and didn’t want to write an RFC6962 client by myself just to be more efficient.

syuu_22397 · September 17, 2020, 10:05am

Is it possible to tell me more about how to do it if possible?

_az · September 17, 2020, 10:21am

Probably not? It’s not a terribly common project, so it’s not like people have written it up in a step-by-step way that you can just download and run.

I mean, I can show you all the parts to the little aggregator I created 3 years ago. The log scanning and database insertion program (which is the important bit), the web API, the HTML frontend and the actual live thing.

All of crt.sh is open source as well.

But I don’t think it’s the case that you can download either and be up and running in a hot minute. Best to start simple.

Or forget about the whole thing, and figure out a different way to achieve your objectives. For example, there is raw database access to the crt.sh database available, which is a very powerful free resource.

danb35 · September 17, 2020, 10:44am

I think this needs to be corrected. It isn't the case that "Let's Encrypt was used to create a certificate transparency server." Rather, ISRG (who operates the Let's Encrypt service) also runs a certificate transparency server. That's the only connection between the two--they're independent services run by the same organization.

As a second point, crt.sh is not a certificate transparency server; it's an aggregator. They collect transparency information from the actual transparency logs, and give you a searchable front-end for it.

Why do you want to do this? Is it just as a hobby project, just to do it? If so, well, you've got a lot to figure out on your own, and your apparent request for detailed, step-by-step instructions doesn't seem entirely consistent. Or do you think you actually need it for some purpose? If so, what purpose?

syuu_22397 · September 17, 2020, 11:05am

I’m thinking of adding certificate transparency to the certificate authority I run.

_az · September 17, 2020, 11:13am

Do you know if you will run your own log, or submit your certificates to logs operated by third-parties?

You can find a guide to running a CT log here.

But a better first step might be getting your CA to publish certificates to an existing log.

syuu_22397 · September 17, 2020, 11:32am

Submitting a certificate to a log run by a third party can seem very difficult, but what does it really look like?

danb35 · September 17, 2020, 11:47am

Again, why? If it's a matter of clearing browser warnings, that will only happen if it's in a trusted log. And unless you're operating a publicly-trusted CA (which seems doubtful), public CT logs won't accept your certs. If you are somehow running a trusted CA that isn't yet logging certs, it looks like there's a standard API for submission. Here's a short script that demonstrates it:

gist.github.com

https://gist.github.com/rraptorr/2efaaf21caaf6574e8ff

ct-submit.py

#!/usr/bin/python

import sys
import argparse, json, base64, struct
import urllib2
from datetime import datetime

LOGS = {
    'icarus': 'https://ct.googleapis.com/icarus',
    'pilot': 'https://ct.googleapis.com/pilot',

This file has been truncated. show original

system · October 17, 2020, 11:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Transparent certificate policy Issuance Policy	5	2207	March 15, 2016
Few days I struggle to create a letsencrypt Help	4	565	July 17, 2022
Certificate transparency logs Help	2	1179	December 7, 2022
Tutorial - Build your Own Certificate Transparency Log Analyzer Server	1	2001	December 13, 2017
Certificate transparency (CT) monitoring for Let's Encrypt certificates Server	3	6127	August 8, 2017

I want to create a certificate transparency server

Related topics