I want to create a certificate transparency server

I’m thinking of creating a certificate transparency server.
I’m thinking of making the OS with CentOS or Debian.
How do I create a detailed certificate transparency server?

Not exactly sure. What’s your goal compared to something like https://crt.sh?

I create a certificate transparency server and publish it for myself.
It may not make much sense, but I’m thinking about that.
In terms of functionality, I would like to create something similar to https://crt.sh.

Hi @syuu_22397

then this forum is the wrong place.

That’s not a Letsencrypt relevant question.

Thanks!

1 Like

When I saw that Let’s Encrypt was used to create a certificate transparency server, I thought it was related to Let’s Encrypt.
excuse me.

Letsencrypt doesn’t run something like crt.sh.

crt.sh is a Certificate monitor, that checks certificate logs.

Letsencrypt runs an own certificate log. But who should fill your (private) certificate log?

PS: “Certificate transparency server” isn’t defined.

1 Like

I have a little bit of experience making my own log aggregator, similar to crt.sh.

It requires an enormous amount of disk space and bandwidth, to say the least. I don’t actually store the certificates, just the domain names, and the date when I first observed them. Otherwise, I would easily go broke paying for the infrastructure.

The basic principle is:

  • Download https://www.gstatic.com/ct/log_list/log_list.json
  • For each active log in that list, use an RFC6962 client to scan the entire log, and copy each DER-encoded certificate, along with any data you want to index, into your database.
  • Every few minutes or so, check each log whether there have been any new entries. If so, scan the log again, starting from the index you scanned upto last time.
  • You’re done! Make a web frontend to query your database.

I used https://github.com/google/certificate-transparency-go to help me, but there’s probably some other options. I noticed it’s quite CPU-intensive for some reason, but I didn’t really look into why, and didn’t want to write an RFC6962 client by myself just to be more efficient.

2 Likes

Is it possible to tell me more about how to do it if possible?

Probably not? It’s not a terribly common project, so it’s not like people have written it up in a step-by-step way that you can just download and run.

I mean, I can show you all the parts to the little aggregator I created 3 years ago. The log scanning and database insertion program (which is the important bit), the web API, the HTML frontend and the actual live thing.

All of crt.sh is open source as well.

But I don’t think it’s the case that you can download either and be up and running in a hot minute. Best to start simple.

Or forget about the whole thing, and figure out a different way to achieve your objectives. For example, there is raw database access to the crt.sh database available, which is a very powerful free resource.

1 Like

I think this needs to be corrected. It isn’t the case that “Let’s Encrypt was used to create a certificate transparency server.” Rather, ISRG (who operates the Let’s Encrypt service) also runs a certificate transparency server. That’s the only connection between the two–they’re independent services run by the same organization.

As a second point, crt.sh is not a certificate transparency server; it’s an aggregator. They collect transparency information from the actual transparency logs, and give you a searchable front-end for it.

Why do you want to do this? Is it just as a hobby project, just to do it? If so, well, you’ve got a lot to figure out on your own, and your apparent request for detailed, step-by-step instructions doesn’t seem entirely consistent. Or do you think you actually need it for some purpose? If so, what purpose?

1 Like

I’m thinking of adding certificate transparency to the certificate authority I run.

Do you know if you will run your own log, or submit your certificates to logs operated by third-parties?

You can find a guide to running a CT log here.

But a better first step might be getting your CA to publish certificates to an existing log.

Submitting a certificate to a log run by a third party can seem very difficult, but what does it really look like?

Again, why? If it’s a matter of clearing browser warnings, that will only happen if it’s in a trusted log. And unless you’re operating a publicly-trusted CA (which seems doubtful), public CT logs won’t accept your certs. If you are somehow running a trusted CA that isn’t yet logging certs, it looks like there’s a standard API for submission. Here’s a short script that demonstrates it:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.