Readablewiki

Certificate Transparency

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

Certificate Transparency is a security framework that publicly logs every TLS certificate issued by trusted authorities. The idea is to help site owners, security teams, and browsers quickly spot certificates that were issued by mistake or with bad intent.

How it works
- When a certificate is issued, the authority can publish a record called a signed timestamp in public logs.
- Logs are append-only and organized like a Merkle tree, so anyone can verify the log hasn’t been tampered with. The current log state is called the signed tree head.
- A certificate may carry an embedded timestamp, be accompanied during the TLS handshake, or be checked via OCSP to prove it has been logged.
- Because logs can become very large, they are sometimes split into smaller pieces by time (temporal sharding) to reduce load.

Why it’s useful
- CT makes it possible to detect certificates that were issued improperly or for domains that don’t belong to the rightful owners.
- It helps security teams defend networks by acting quickly on suspicious certificates and domains.
- Certificates for internal, private domains also become searchable once logged publicly.

Who runs it and how it’s watched
- Logs are run by many parties, including browser makers and certificate authorities.
- Monitors continually check logs for new certificates and alert domain owners if something looks wrong.
- Researchers and organizations use tools like public lookup sites to track certificate issuance for their domains.

Adoption and evolution (in brief)
- CT emerged after notable CA breaches and was formalized as a standard, with large browser makers adopting it over time.
- Major browsers started requiring CT for more certificates, and public CT logs have evolved with new tools and policies.
- The ecosystem includes different log operators and policies to keep the system healthy and verifiable.

In short, Certificate Transparency adds an open, verifiable public record of certificates so misissuance can be found and stopped more quickly, strengthening the security of encrypted web traffic.

This page was last edited on 2 February 2026, at 18:51 (CET).