Learn how Certificate Transparency Monitoring provides visibility over SSL certificates provisioned for your domains.
Overview
A website is trusted by major browsers via an SSL certificate. An SSL certificate helps prove site identity and ensures secure connections before the client or browser sends content.
When Certificate Authorities issue certificates, they record issuance in public Certificate Transparency (CT) logs. CT logs are large databases managed by Cloudflare, Google, and others that collectively document all valid certificates. Cloudflare’s Certificate Transparency Monitoring emails an alert whenever your domain is recognized in a CT log. Thus, CT monitoring notifies you whenever an SSL certificate is created for your domain and allows you to confirm the legitimacy of new SSL certificates.
Enable Certificate Transparency alerts
Alerts are Off by default, but are enabled via Certificate Transparency Monitoring within the Edge Certificates tab of the Cloudflare SSL/TLS app. Alerts for Free and Pro domains are limited to 10 per week and are sent to all Cloudflare account members defined within Shared Account Access. Business and Enterprise domains can configure up to 10 email addresses to receive CT alerts. The email addresses don’t require association with a Cloudflare account and alerts are limited to 200 per week.
Alert limits are counted by certificate, not by the number of emails sent. For example, an alert for www.example.com that is emailed to 5 recipients only counts as 1 alert.
To disable CT alerts for Free and Pro domains, set Certificate Transparency Monitoring to Off in the Edge Certificates tab of the Cloudflare dashboard SSL/TLS app. For Business and Enterprise domains, remove all configured email addresses from the Certificate Transparency Monitoring feature.
You may receive alerts about your Cloudflare Universal SSL certificate, certificates provided through the Advanced Certificate Manager, or SXG certificates related to the AMP Real URL feature.
Take action against malicious SSL certificates
Most certificate alerts are routine. For example, certificates expire and must be reissued. No action is required if your domain is listed in the email along with recognizable ownership and certificate information.
However, take action whenever you don’t recognize the certificate issuer or you notice problems with your website around the time you received the CT alert.
Malicious activity can be difficult to recognize. You can mitigate malicious certificates by warning your visitors via an on-site notification, blocking domains by contacting browser makers (Google for Chrome, Apple for Safari, etc.), or contacting Contact Cloudflare Support. In addition, you can contact certificate authorities or domain registrars (contact information below).
Certificate Authorities
Only certificate authorities have the power to revoke malicious certificates. If you believe an incorrect certificate was issued for your domain, contact the Certificate Authority listed as the Issuer in the alert email. Here are the contact links for several major Certificate Authorities:
- DigiCert: https://www.digicert.com/support/#Contact
- GlobalSign: https://www.globalsign.com/en/company/contact/support/
- GoDaddy: https://www.godaddy.com/contact-us?sp_hp=B
- IdenTrust: https://www.identrust.com/support/support-team
- Let’s Encrypt: https://letsencrypt.org/contact/
- Sectigo: https://sectigo.com/support
Domain Registrars
Domain registrars may suspend potentially malicious domains. For example, if you notice a malicious domain registered through GoDaddy, contact GoDaddy’s support team for assistance.
Other Actions
There are other ways to mitigate malicious certificates. You can warn your visitors via an on-site notification, you can attempt to block domains by contacting browser makers (Google for Chrome, Apple for Safari, etc.), or you can Contact Cloudflare Support.