Understanding Certificate Transparency Monitoring

Learn how Certificate Transparency Monitoring provides visibility over SSL certificates provisioned for your domains.


Overview

A website is trusted by major browsers via an SSL certificate. An SSL certificate helps prove site identity and ensures secure connections before the client or browser sends content.

When Certificate Authorities issue certificates, they record issuance in public Certificate Transparency (CT) logs. CT logs are large databases managed by Cloudflare, Google, and others, that collectively document all valid certificates. Cloudflare’s Certificate Transparency Monitoring emails an alert whenever your domain is recognized in a CT log. Thus, CT monitoring notifies you whenever an SSL certificate is created for your domain and allows you to confirm the legitimacy of new SSL certificates.

CT monitoring does not detect phishing attempts. For example, for cloudflare.com, an alert would not trigger for a certificate issued for cloudf1are.com or cloud-flare.com.

Enable Certificate Transparency alerts

Alerts are Off by default but are enabled via Certificate Transparency Monitoring within the Cloudflare Crypto app. Alerts for Free and Pro domains are limited to 10 per week and are sent to all Cloudflare account members defined within Shared Account Access. Business and Enterprise domains can configure up to 10 email addresses to receive CT alerts. The email addresses don’t require association with a Cloudflare account and alerts are limited to 200 per week.

Alert limits are counted by certificate, not by the number of emails sent. For example, an alert for www.example.com that is emailed to 5 recipients only counts as 1 alert.
Send emails to more than 10 people by setting up an email alias, for example: ct-alerts@yourcompany.com.

To disable CT alerts for Free and Pro domains, set Certificate Transparency Monitoring to Off in the Cloudflare dashboard Crypto app. For Business and Enterprise domains, remove all configured email addresses from the Certificate Transparency Monitoring feature.


Take action against malicious SSL certificates

Most certificate alerts are routine. For example, certificates expire and must be reissued. No action is required if your domain is listed in the email along with recognizable ownership and certificate information.

However, take action whenever:

  • You don’t recognize the certificate issuer.
  • You notice problems with your website around the time you received the CT alert.

Malicious activity can be difficult to recognize, so exercise caution. Follow the suggestions below if you identify an issue:


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk