The certificate transparency project maintains logs of all certificates issued. My understanding is that this was originally started by Google, but is now a distributed trust network where all CAs submit certificates to at least two “public logs.” This means that there is a collective, verifiable data about all trusted certificates on the Internet.
From a security perspective it is helpful to have a full inventory of all certificates issued for your domain(s). More importantly is knowing when illegitimate certificates have been issued, due to a rogue or reckless CA or the failure of internal approval processes. A few companies have built tools and services to monitor the transparency logs to report this information.
The project has a list of these monitor services. Two that I use are shown below.
crt.sh
Sectigo has made the crt.sh tool available for filtering the logs by a particular domain. I find that excluding expired certificates and turning on deduplication gives the most usable output. Note that there is also an RSS feed link so you can subscribe to any new entries for that search.
cloudflare
Cloudflare offers Certificate Transparency
Monitoring to all of its customers. It is as simple
as turning on a switch for that particular zone in their dashboard.
Choose the domain/zone that you are interested in monitoring, and under
the SSL/TLS menu, choose Edge Certficates. Scroll down and enable
“Certificate Transparency Monitoring.”
