Certificate Transparency reporting

Check frequency

Certificate Transparency monitoring is a rather peculiar check. It doesn't have fixed timings, it basically runs all the time, constantly.

Our Certificate Transparency checker monitors each CT Log continuously and will notify you in near real-time when a new certificate has been found that matches one of your domains.

What is Certificate Transparency?

All issued HTTPS certificates need to be kept in publicly auditable logs. Anyone can look at these logs and report on them. Oh Dear does that for you, by acting as a "Certificate Transparency Log Monitor".

If we detect a certificate that matches any of the domains in your portfolio, we can notify you that this certificate exists.

What kind of Certificate Transparency reports should I expect?

We believe the value of Certificate Transparency is to be notified of certificates you didn't know about. For instance, if someone else manages to obtain a certificate for yoursite.tld, surely you'd want to know.

If you didn't request that certificate, you can request it be revoked so browsers don't trust it. If a 3rd party tried to set up a fake website in your name, you just prevented that.

We won't bother you with Certificate Transparency reports for certificates whose fingerprints you already know about. If the certificate is already known to Oh Dear, you won't be notified. Our Certificate Change Reporter will catch changed certificates much faster than CT Logs ever will and will present you with a more meaningful report.

Precertificates vs Certificates

Before a certificate is trusted by a browser, it will be announced to Certificate Transparency logs before it is issued. These are called precertificates. Once the actual certificate is issued, it references these precertificates as a proof that the certificate has been logged to a Transparency Log.

Oh Dear will only notify you of issued certificates that are trusted by the browser. Precertificates are not trusted by the browser and won't be reported upon.