Certificate Transparency (CT) Logs
Introduction
Certificate Transparency (CT) is an open framework designed to improve the security of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) certificate ecosystem. CT logs are publicly accessible, append-only records that contain information about SSL/TLS certificates issued by trusted Certificate Authorities (CAs). Every publicly trusted certificate issued for a domain is typically recorded in one or more CT logs, making certificate issuance transparent and auditable.
For ethical hackers and penetration testers, CT logs are a valuable reconnaissance resource because they often reveal subdomains, hostnames, and services that belong to an organization. Since CT logs are public, they can be used to identify assets without directly interacting with the target systems.
Why Certificate Transparency Exists
Before Certificate Transparency, a compromised or malicious Certificate Authority could issue fraudulent certificates without the domain owner's knowledge. This created opportunities for impersonation and man-in-the-middle attacks.
CT was introduced to provide:
Transparency in certificate issuance.
Public auditing of certificates.
Detection of unauthorized or mistakenly issued certificates.
Increased trust in the Public Key Infrastructure (PKI).
Today, major web browsers require publicly trusted certificates to be logged in Certificate Transparency logs before they are accepted.
How Certificate Transparency Works
A domain owner requests an SSL/TLS certificate from a Certificate Authority.
The Certificate Authority submits the certificate to one or more public CT logs.
The CT log records the certificate in an append-only database and returns a Signed Certificate Timestamp (SCT).
The SCT is embedded in or associated with the certificate.
Browsers can verify that the certificate has been logged before establishing a secure connection.
This process allows anyone to inspect publicly issued certificates for a domain.
Information Available in CT Logs
A CT log entry may contain information such as:
Domain name
Subdomain names
Wildcard certificates
Certificate serial number
Certificate Authority (CA)
Certificate validity period
Issuance date
Expiration date
Public key information
Signature algorithm
Subject Alternative Names (SANs)
This information helps build a more complete inventory of an organization's internet-facing assets.
Example CT Log Entry
Common Name (CN):
www.example.com
Subject Alternative Names (SAN):
www.example.com
api.example.com
mail.example.com
cdn.example.com
Certificate Authority:
Let's Encrypt
Issued:
2026-01-10
Expires:
2026-04-10
Serial Number:
04A3F8D29B...
Explanation
This certificate indicates that the organization has several publicly named services:
www.example.com
api.example.com
mail.example.com
cdn.example.com
Even if these hostnames are not linked from the main website, their existence is visible through the CT log because they were included in the certificate.
Wildcard Certificate Example
Common Name:
*.example.com
Certificate Authority:
DigiCert
Issued:
2026-02-01
Explanation
A wildcard certificate (*.example.com) can secure many first-level subdomains, such as:
shop.example.com
blog.example.com
support.example.com
However, the wildcard entry itself does not reveal every subdomain. Individual hostnames become visible only if they appear in certificate requests, such as in the Subject Alternative Name (SAN) field of other certificates.
Subject Alternative Name (SAN)
Modern certificates often include multiple hostnames in the Subject Alternative Name (SAN) extension.
Example
Subject Alternative Names
www.example.com
api.example.com
admin.example.com
login.example.com
mobile.example.com
A single certificate can therefore reveal multiple services belonging to the same organization.
What Ethical Hackers Can Learn from CT Logs
During an authorized assessment, CT logs can help identify:
Internet-facing Subdomains
Examples:
api.example.com
mail.example.com
vpn.example.com
login.example.com
portal.example.com
Cloud Services
Examples:
storage.example.com
cdn.example.com
media.example.com
Development and Testing Environments
Examples:
dev.example.com
test.example.com
staging.example.com
qa.example.com
beta.example.com
These environments may contain different configurations or newer features than production systems and should be included in the authorized asset inventory if they are within scope.
Administrative Interfaces
Examples:
admin.example.com
dashboard.example.com
cp.example.com
These names indicate management portals that may require additional security review during an authorized assessment.
Geographic Infrastructure
Examples:
us.example.com
eu.example.com
asia.example.com
This may provide insight into regional deployments.
Third-Party Services
Organizations sometimes obtain certificates for services hosted by external providers, such as:
support.example.com
payments.example.com
identity.example.com
These records can help identify third-party integrations.
Benefits of CT Logs in Reconnaissance
Publicly accessible information.
No direct interaction with the target systems.
Helps discover forgotten or undocumented subdomains.
Supports asset inventory and attack surface mapping.
Reveals certificate issuance history.
Identifies newly deployed internet-facing services.
Assists in technology and infrastructure analysis.
Limitations
Certificate Transparency logs do not guarantee that a hostname is currently active or reachable. A certificate may have been issued for:
A service that has since been removed.
A staging or development environment that is offline.
A hostname reserved for future use.
Therefore, any discovered hostnames should be verified during later phases of an authorized assessment.
Example Scenario
Suppose an organization's public website is:
www.example.com
A CT log search reveals the following certificate:
Subject Alternative Names
www.example.com
api.example.com
login.example.com
vpn.example.com
mail.example.com
staging.example.com
From this single certificate, the security team learns that the organization has at least six publicly named services that may need to be included in the assessment, subject to the agreed testing scope.
Summary
Certificate Transparency logs are a valuable source of publicly available information during the reconnaissance phase of an ethical hacking engagement. They improve the transparency of SSL/TLS certificate issuance while enabling security professionals to discover domains, subdomains, certificate history, and infrastructure details. When combined with other reconnaissance techniques, CT logs help create a more complete and accurate inventory of an organization's authorized attack surface, supporting efficient and comprehensive security assessments.