Auditing TLS Certificate Transparency Logs

When to Use

• Monitoring owned domains for unauthorized or unexpected certificate issuance by unknown Certificate Authorities
• Discovering subdomains and hidden services through certificates logged in public CT logs
• Detecting phishing infrastructure that uses look-alike domain certificates (typosquatting, homograph attacks)
• Auditing Certificate Authority compliance by verifying all issued certificates appear in CT logs as required by browser policies
• Building continuous certificate monitoring into a security operations pipeline with alerting for new issuances

Do not use for attacking or disrupting Certificate Authorities, for scraping CT logs in violation of rate limits or terms of service, or as the sole method of subdomain enumeration without corroborating results through DNS verification.

Prerequisites

• Python 3.10+ with requests, cryptography, and pyOpenSSL libraries installed
• Network access to crt.sh (HTTPS) and public CT log servers
• A list of domains to monitor (owned domains, brand variations, typosquat candidates)
• SMTP credentials or webhook URL for alerting on new certificate discoveries
• Basic understanding of X.509 certificate structure and TLS certificate chain validation