Skip to main content

CT logs monitoring

Certificate Transparency (CT) is a global logging system that records all public TLS/SSL certificates issued by trusted certificate authorities (CAs). The CT logs allow anyone to audit and monitor public certificate issuance to help detect fraudulent activity and strengthen trust and security across the internet.

With the CT logs monitoring feature in DigiCert​​®​​ Trust Lifecycle Manager, you can monitor the CT logs for specific organizations and domains, adding the discovered certificates to your centralized inventory where you can track them and configure notifications.

Important

Trust Lifecycle Manager only discovers valid certificates from the CT logs. It does not discover revoked or expired certificates.

Before you begin

Before enabling CT logs monitoring in Trust Lifecycle Manager, verify these prerequisites and plan your CT discovery settings.

Check feature availability

To verify whether the CT logs monitoring feature is available for your Trust Lifecycle Manager account:

  1. In the Trust Lifecycle Manager menu, go to Account > Settings.

  2. Under Discovery settings, check for an option for CT logs monitoring.

    • If this option is present, your account includes the CT logs monitoring feature.

    • If not present, CT logs monitoring is not currently available for your account.

      Note

      For help verifying or enabling this feature, contact your DigiCert account representative.

Verify permissions

To configure the CT logs monitoring feature, you need the Manager user role for Trust Lifecycle Manager.

Plan your discovery settings

To enable CT logs monitoring, you must specify at least one organization or base domain to track in the CT logs. Trust Lifecycle Manager uses these settings to identify public certificates to add to your inventory, as follows:

  • Organizations: Discover any certificate where the Organization (O) field includes one of the organizations you specify.

  • Base domains: Discover any certificate where the Common Name (CN) or Subject Alternative Name (SAN) includes one of the specified base domains or any of its subdomains.

Configure assignment rules (optional)

If you want to automatically assign metadata to certificates discovered through CT logs monitoring, you need to configure one or more assignment rules that you can apply in the CT logs settings. You can use rules to assign custom attributes, certificate owners, and tags, based on conditions such as the CA or Subject DN in the discovered certificates. You configure the rules first, then select the applicable rules in the CT logs settings.

To learn more about how to configure assignment rules for certificate metadata, see Assignment rules.

Enable CT logs monitoring

To enable CT logs monitoring in Trust Lifecycle Manager:

Manage CT logs monitoring

Pause or resume monitoring

You can pause or resume CT logs monitoring at any time. When you pause monitoring, your discovery settings are preserved. If you resume monitoring, the same organizations, base domains, and assignment rules will apply.

To pause or resume the CT logs monitoring feature:

  1. In the Trust Lifecycle Manager menu, go to Account > Settings > CT logs monitoring.

  2. Enable CT logs monitoring:

    • Switch this Off to pause monitoring.

    • Switch this On to resume monitoring the CT logs.

Edit discovery settings

To edit the discovery settings for the CT logs monitoring feature:

  1. In the Trust Lifecycle Manager menu, go to Account > Settings > CT logs monitoring.

  2. Edit any of the following fields:

    • Organizations: Add or remove organization names to monitor in the Organization (O) field of certificates.

    • Base domains: Add or remove base domains to monitor in the CN or SAN fields of certificates.

    • Certificate assignment rules: Select or deselect rules for assigning metadata to discovered certificates.

      Important

      You cannot edit the discovery settings while CT logs monitoring is paused.

View CT log certificates in inventory

When monitoring is enabled, Trust Lifecycle Manager continuously scans the CT logs for any valid certificates that contain the organizations or domains you specified. If not already present, it adds the certificates it finds to your centralized inventory.

To view the certificates discovered from the CT logs, go to the Inventory > Certificates page. Use the following filters to help identify the CT log certificates. If a column is not present, use the Add Column button on the top-right of the table to add it.

Filter

Description

Source

Select CT logs to list only certificates discovered through CT logs monitoring.

Tags

If you used an assignment rule to apply tags to the CT log certificates, you can filter by those tags.

After listing the CT log certificates in the inventory table, you can:

  • Select the save icon on the top-right of the table to save a custom view of the CT log certificates.

  • Select the reports icon on the top-right of the table to create a custom report from the CT log certificates to run once or on an ongoing schedule.

To learn more about inventory views and functions, see View inventory.

Set up notifications for CT log certificates

To set up email notifications about CT log certificates, use the Discovered certificate notification types on the Policies > Notifications page in Trust Lifecycle Manager. You can set up general lifecycle notifications, or notifications about discovered certificates in your inventory that are approaching expiration or have already expired.

To learn more about how to enable email alerts, see Notifications.

: