| pcx_content_type | title | sidebar | head | description | ||
|---|---|---|---|---|---|---|
concept |
Certificate Transparency Monitoring |
|
Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain. |
import { FeatureTable, GlossaryTooltip } from "~/components"
Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain.
CT Monitoring alerts are triggered not only by Cloudflare processes - including backup certificates -, but whenever a certificate that covers your monitored domain is issued by a Certificate Authority (CA) and added to a public CT log. You can learn more about how this works in the introductory blog post.
:::caution[Aspects to consider]
- If you use Cloudflare or other services that automatically issue certificates for your domain or subdomains, this may trigger CT Monitoring emails as well.
- If your domain is included in a shared certificate, you may receive notifications for domains or subdomains that do not belong to you but are included as subject alternative names (SANs) together with your domain. You can use a tool like Certificate Search to gather more information in such cases.
- CT Monitoring does not detect phishing attempts. For example, for
cloudflare.com, an alert would not trigger if a certificate was issued forcloudf1are.comorcloud-flare.com.
:::
Alerts are turned off by default. If you want to receive alerts, go to SSL/TLS > Edge Certificates and enable Certificate Transparency Monitoring. If you are in a Business or Enterprise zone, select Add Email.
To stop receiving alerts, disable Certificate Transparency Monitoring or remove your email from the feature card.
Most certificate alerts are routine. Cloudflare sends alerts whenever a certificate for your domain appears in a log. Certificates expire (and must be reissued), so it is completely normal to receive issuance emails. If your domain is listed in the email, along with reasonable ownership and certificate information, then no action is required.
Additionally, you should check whether the certificate was issued through Cloudflare. Cloudflare partners with multiple CAs to provide certificates. To view all Cloudflare-issued certificates and backup certificates - which require no additional actions - visit the Edge Certificates page in the dashboard.
You should take action when something is clearly wrong, such as if you:
-
Do not recognize the certificate issuer. :::note
Note that Cloudflare provisions backup certificates, so you may see a certificate listed that is not in active use for your site. The Edge Certificates page will show all certificates requested for your site. :::
-
Have recently noticed problems with your website.
Only Certificate Authorities can revoke malicious certificates. If you believe an illegitimate certificate was issued for your domain, contact the Certificate Authority listed as the Issuer in the email.
Domain registrars may be able to suspend potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars.
There are other ways to combat malicious certificates. You can warn your visitors with an on-site notification or ask browser makers (Google for Chrome, etc.) to block these domains.
If someone is attempting to impersonate you online, you should absolutely take action. This is usually difficult to recognize, so exercise caution. Remember: the vast majority of certificates are not malicious. Only take action if you believe something is wrong.
Certificate Transparency Monitoring addresses the same problems as HTTP Public Key Pinning (HPKP), but with fewer technical issues.
Cloudflare does not offer or support HPKP and advises against using it with Universal SSL.