Auditing TLS Certificate Transparency Logs

Auditing TLS Certificate Transparency Logs

What Is This?

The "Auditing TLS Certificate Transparency Logs" skill enables security teams and developers to monitor, analyze, and audit the issuance of TLS certificates for their domains using Certificate Transparency (CT) logs. CT is an open framework defined by RFC 6962 that requires Certificate Authorities (CAs) to log every issued TLS certificate in publicly accessible, append-only logs. This skill leverages CT data, including the crt.sh API and direct CT log queries, to help detect unauthorized certificate issuance, discover new or hidden subdomains, and audit CA compliance.

Why Use It?

The rapid growth of HTTPS and the ease of obtaining certificates from numerous CAs can expose organizations to several risks:

• Rogue Certificate Issuance: Attackers may obtain valid certificates for domains they do not own, enabling phishing, man-in-the-middle, or impersonation attacks.
• Shadow IT and Subdomain Discovery: New subdomains and services may be deployed without proper oversight, increasing the attack surface.
• Regulatory and Policy Compliance: Many browser vendors and industry standards require that all publicly trusted certificates be logged to CT. Monitoring these logs is essential for compliance and trust.
• Early Threat Detection: By tracking CT logs, defenders can spot suspicious certificate activity, such as look-alike or typo-squatting domains, before they are used in attacks.

How to Use It

This skill can be activated for workflows involving certificate monitoring, subdomain enumeration, or alerting on certificate issuance events. Below are practical steps and code examples:

1. Querying CT

Logs via the crt.sh API

crt.sh offers a public API to search certificates by domain. This is a simple way to begin monitoring issuance for your domains.

Example: Fetch all certificates for example.com

import requests

def fetch_certificates(domain):
    url = f"https://crt.sh/?q=%25.{domain}&output=json"
    response = requests.get(url)
    if response.status_code == 200:
        certs = response.json()
        for cert in certs:
            print(cert["common_name"], cert.get("name_value"), cert["not_before"])
    else:
        print(f"Failed to fetch certificates for {domain}")

fetch_certificates("example.com")

This script lists every certificate issued for example.com and its subdomains. It can be scheduled to run regularly and trigger alerts when unexpected certificates are detected.

2. Direct CT Log

Querying (RFC 6962)

For advanced use cases, querying CT logs directly allows integration into custom pipelines. Libraries such as certstream provide real-time streams of CT log entries.

Example: Real-time CT log monitoring using certstream

import certstream

def print_callback(message, context):
    data = message.get("data", {})
    leaf_cert = data.get("leaf_cert", {})
    all_domains = leaf_cert.get("all_domains", [])
    for domain in all_domains:
        # Alert if the domain matches your monitoring list
        if domain.endswith("example.com"):
            print(f"New certificate issued for: {domain}")

certstream.listen_for_events(print_callback, url='wss://certstream.calidog.io/')

This approach enables immediate detection of new certificates matching your domains, supporting rapid incident response.

3. Subdomain

Discovery

Since certificates must list all domains and subdomains they secure, parsing CT logs allows discovery of hidden or undocumented subdomains.

Example: Extracting subdomains

def extract_subdomains(domain):
    url = f"https://crt.sh/?q=%25.{domain}&output=json"
    response = requests.get(url)
    if response.status_code == 200:
        certs = response.json()
        subdomains = set()
        for cert in certs:
            names = cert.get("name_value", "").split("\n")
            for name in names:
                if name.endswith(domain):
                    subdomains.add(name)
        return subdomains
    return set()

discovered = extract_subdomains("example.com")
print("Discovered subdomains:", discovered)

This helps map your external attack surface and identify unauthorized or forgotten services.

When to Use It

• Monitor Owned Domains: Continuously check for certificates issued to your domains by unknown or unauthorized CAs.
• Subdomain Enumeration: Use CT data to detect all subdomains, including those not published elsewhere.
• Detect Phishing: Find certificates for typo-squatted or look-alike domains that could be used for phishing.
• Audit CA Compliance: Verify CAs are properly logging issued certificates as required by browser and industry policies.
• Security Operations Pipelines: Integrate certificate monitoring into SIEM or alerting systems for proactive defense.

Important Notes

• Privacy Considerations: All publicly trusted certificates, including those for internal or sensitive subdomains, are visible in CT logs. Plan accordingly.
• API Rate Limits: Services like crt.sh may enforce rate limits. For large-scale monitoring, consider deploying your own CT log mirror or use commercial CT monitoring solutions.
• Certificate Revocation: CT logs show issued certificates, not their current validity. Additional checks are required to determine if a certificate has been revoked.
• Automation and Alerting: Regularly update monitored domain lists and integrate with alerting systems to ensure timely response to suspicious activity.
• Limitations: While CT logs are comprehensive for publicly trusted certificates, they do not include certificates from private CAs or those not trusted by browsers.

By leveraging this skill, organizations can achieve continuous visibility into certificate issuance, reduce risk from unauthorized certificates, and improve their overall security posture in accordance with best practices and regulatory requirements.