Certificates represent the bedrock of the security we enjoy online, and as such it’s impossible to exaggerate the importance of Certificate Transparency (CT) for all active websites. An open framework of logs for monitoring and auditing SSL/TLS certificates issued by Certificate Authorities (CAs), this system ensures that logs of all valid certificates are publicly accessible. Because it’s impossible to tamper with CT logs, transparency and accountability are guaranteed – and domain owners can swiftly identify rogue certificates issued for their domains.
On average, digital certificates are hacked or hijacked every 10 minutes, opening owners up to malware attacks, data theft and reputational damage. That fact alone should highlight the necessity of Certificate Transparency for all entities; but just in case it doesn't, you should know that Google Chrome requires all SSL/TLS certificates to be publicly logged before displaying sites to browsers. Various CT log monitoring tools are currently available, including both open source and paid, and we intend to discuss some options in this article.
Current CT logs monitoring tools
By making a conscious effort to monitor CT logs, you will gain complete visibility of the digital certificates issued for your domain(s), immunizing you from the threats cited above. Detecting malicious, mis-issued or expired SSL/TLS certificates becomes a cinch. The question is, which tool is right for your needs?
Open-source CT log monitoring tools, such as those offered by CAs, represent a popular and effective option. Non-profit CA Let’s Encrypt, for example, has developed a CT log monitoring tool named CT Woodpecker which monitors the stability and compliance of logs. However, as per the tool’s Github, it is “not a complete stand-alone monitoring solution and is designed to integrate with other solutions.” DigiCert, meanwhile, offers CT log monitoring via its Secure Site Pro SSL package, and Cloudflare launched its own CT dashboard, Merkle Town, not too long ago.
Even Facebook has built its very own Certificate Transparency monitoring tool. This one continuously scans major public CT logs for fresh digital certificates issued on behalf of domains that they own. When assembling this data, Facebook fetches and stores the publicly published certificate info from a collection of CAs that support a standardized CT logging format.
Of course, more comprehensive solutions are available for larger organizations. Keyhub is one such option. It is a cloud-based platform which automates the process of discovery, organization and tracking of SSL/TLS certificates across an entire business network. Keyhub simplifies routine certificate lifecycle management operations and helps detect vulnerabilities and weak points related to SSL/TLS certificates. It offers a free trial that enables businesses to track up to 1,000 certificates.
A software-as-a-service (SaaS) solution, Keyhub doesn’t require installation or hosting: just set up an account and start to monitor CT logs for domains and subdomains straightaway. The discovery tool monitors all publicly available CT log nodes and if a certificate with a required domain name is detected, it is added to Keyhub certificate inventory. Moreover, you can set up alerts so that you are notified when a new pre-certificate or certificate is detected in CT logs. Keyhub’s speed in discovering new SSL/TLS certificates is unmatched, and the program is available via a free trial.
Picking the right CT monitoring tool for your needs
Open source CT logs monitoring tools have a number of benefits: their code can be audited, and they can be customized by businesses to suit their needs. Most enterprises don’t have the need or ability to get this granular with their CAs, however. Moreover, the majority of open source CT monitoring tools do not provide a complete end-to-end solution that can accommodate all of a typical enterprise’s SSL/TLS certificates. The user experience is also less refined than that offered by commercial software, which can heighten the risk of human error, through certificates slipping through the cracks, so to speak.
SaaS solutions such as Keyhub provide a more user-friendly CT logs monitoring experience, coupled with greater versatility that allows them to incorporate a wider range of SSL/TLS certificates. Businesses can expect to pay slightly more for a cloud-based solution, but they may conclude that the added security guarantees and usability make the investment worthwhile. Automating this process is essential, saving you time, energy and money while securing your PKIs.