Monitoring certificate issuance


#1

Thanks to Let’s Encrypt login all certificates in certificate transparency (CT) logs, it start making sense to monitor those logs.

It may help stop fraudulent certificates, but also problems in our infrastructures (renewals too often, certificate generated for domain that should use internal CA, …)

I’m aware of two services that monitors CT logs to alert of new certificates issuance: https://www.digicert.com/certcentral/certificate-monitoring.htm and https://sslmate.com/certspotter/ .

If anybody knows other way to monitor them?


#2

It is possible to build your own monitor, the API for talking to a log server is published, and a qualified log server should respond to any reasonable requests. Obviously building your own monitor isn’t likely to be cost effective for an individual or small business, but it’s an option and would give you total control over reliability etc. plus total privacy since nobody gets to see what searches you’re running or not. However you’ve listed the main offerings I’m aware of today for those who want live monitoring but don’t want to build their own.

Along with voluntary submissions from many CAs (most obviously Let’s Encrypt), some CAs, notably Symantec, are mandated to log everything they issue by agreement with Google - if they don’t Google had threatened to add “interstitial” warnings when Chrome users visit sites using their certificates, which is a sure-fire way for them to lose business. The CT logs also include certificates that Google’s crawlers run into, and anything anyone submits that chains back to a public CA root.


#3

Do you know if certificates find by https://www.eff.org/fr/observatory submitted for example by the https-everywhere browser extension are submitted to any CT log?


#4

@tdelmas, no, they currently aren’t.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.