Certificate Transparency (CT) Logs

Trang web này chưa được dịch. Bạn có thể đóng góp tại đây.

Last updated: | See all Documentation

Certificate Transparency (CT) is a system for logging and monitoring the issuance of TLS certificates. CT greatly enhances everyone's ability to monitor and study certificate issuance, and these capabilities have led to numerous improvements to the CA ecosystem and Web security. As a result, CT is rapidly becoming critical infrastructure.

Let's Encrypt submits all certificates we issue to CT logs. We also operate two annually sharded CT logs named Oak and Testflume. All publicly trusted certificate authorities are welcome to submit to our logs. Many certificate authority root certificates have already been included in our CT logs. Contact us via email about adding new root certificates to our logs if yours has not been included.

Sign up for notifications in the CT announcements category of our community forum to see major announcements about our CT logs.

Funding

We'd like to thank the following partners for generously sponsoring the Let's Encrypt CT log. If your organization would like to help us continue this work, please consider sponsoring or donating.

Sectigo

Architecture

Check out our blog to see How Let's Encrypt Runs CT Logs!

Log Monitoring

Let's Encrypt has created an open-source CT log monitoring tool called CT Woodpecker. We use this tool to monitor the stability and compliance of our own logs, and we hope others will find it to be useful as well.

CT Logs

Production

  • Oak is incorporated into the Apple and Google CT programs.
  • Our production ACME API environment submits certificates here.
    • Name: Oak 2019
      URI: https://oak.ct.letsencrypt.org/2019
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFkqNKRuZ+Z8IOsnNJrUZ8gwp+KKGOdQrJ/HKhSadK/SJuoCc9+dxQ7awpmWIMr9SKcQeG5uRzG1kVSyFN4Wfcw==
      Log ID: 65:9B:33:50:F4:3B:12:CC:5E:A5:AB:4E:C7:65:D3:FD:E6:C8:82:43:77:77:78:E7:20:03:F9:EB:2B:8C:31:29
      Window Start: 2019-01-01T00:00Z
      Window End: 2020-01-07T00:00Z
      State: Rejected - Shard Expired
    • Name: Oak 2020
      URI: https://oak.ct.letsencrypt.org/2020
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfzb42Zdr/h7hgqgDCo1vrNJqGqbcUvJGJEER9DDqp19W/wFSB0l166hD+U5cAXchpH8ZkBNUuvOHS0OnJ4oJrQ==
      Log ID: E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
      Window Start: 2020-01-01T00:00Z
      Window End: 2021-01-07T00:00Z
      State: Usable
    • Name: Oak 2021
      URI: https://oak.ct.letsencrypt.org/2021
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELsYzGMNwo8rBIlaklBIdmD2Ofn6HkfrjK0Ukz1uOIUC6Lm0jTITCXhoIdjs7JkyXnwuwYiJYiH7sE1YeKu8k9w==
      Log ID: 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
      Window Start: 2021-01-01T00:00Z
      Window End: 2022-01-07T00:00Z
      State: Usable
    • Name: Oak 2022
      URI: https://oak.ct.letsencrypt.org/2022
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhjyxDVIjWt5u9sB/o2S8rcGJ2pdZTGA8+IpXhI/tvKBjElGE5r3de4yAfeOPhqTqqc+o7vPgXnDgu/a9/B+RLg==
      Log ID: DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
      Window Start: 2022-01-01T00:00Z
      Window End: 2023-01-07T00:00Z
      State: Usable
    • Name: Oak 2023
      URI: https://oak.ct.letsencrypt.org/2023
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz0OeL7jrVxEXJu+o4QWQYLKyokXHiPOOKVUL3/TNFFquVzDSer7kZ3gijxzBp98ZTgRgMSaWgCmZ8OD74mFUQ==
      Log ID: B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
      Window Start: 2023-01-01T00:00Z
      Window End: 2024-01-07T00:00Z
      State: Pending

Testing

  • SCTs from these logs SHOULD NOT be incorporated into publicly trusted certificates.
  • The Let's Encrypt production and staging ACME API environments both submit certificates to Testflume, but the production environment does not use the resulting SCTs.
  • We test new versions of Trillian and certificate-transparency-go here before deploying them to production.
  • Testflume's accepted roots list includes all of the Oak accepted roots, plus additional test roots.
  • Testflume can be used by other certificate authorities for testing purposes.
    • Name: Testflume 2019
      URI: https://testflume.ct.letsencrypt.org/2019
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAg3+vFOesFW51rKECekioAt9Zo50atRoOJ0qLxF7DIEHsHneXLEpgO1WMreleRy1vEbUJD7TXoH9r8qSDGvyew==
      Log ID: 84:9F:5F:7F:58:D2:BF:7B:54:EC:BD:74:61:1C:EA:45:C4:9C:98:F1:D6:48:1B:C6:F6:9E:8C:17:4F:24:F3:CF
      Window Start: 2019-01-01T00:00Z
      Window End: 2020-01-07T00:00Z
    • Name: Testflume 2020
      URI: https://testflume.ct.letsencrypt.org/2020
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjdjcoKpeBShHgHvRm3BxD5+l+eHZudv3KmD5SDcLcI01Vj5TDTmxanQKCgpvm9pfnfB6URMQV3hhU1I02jRoRw==
      Log ID: C6:3F:22:18:C3:7D:56:A6:AA:06:B5:96:DA:8E:53:D4:D7:15:6D:1E:9B:AC:8E:44:D2:20:2D:E6:4D:69:D9:DC
      Window Start: 2020-01-01T00:00Z
      Window End: 2021-01-07T00:00Z
    • Name: Testflume 2021
      URI: https://testflume.ct.letsencrypt.org/2021
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdCLoJNt1QcNa7sNDp7g7oTJ+o/UIYEM6N/IZWT+dhdqtJZC+AODJ/4exdOwG04B4K6WrN1VB2ELKQIc/wU1lCw==
      Log ID: 03:ED:F1:DA:97:76:B6:F3:8C:34:1E:39:ED:9D:70:7A:75:70:36:9C:F9:84:4F:32:7F:E9:E1:41:38:36:1B:60
      Window Start: 2021-01-01T00:00Z
      Window End: 2022-01-07T00:00Z
    • Name: Testflume 2022
      URI: https://testflume.ct.letsencrypt.org/2022
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjy/rXcABuf0yhrm1+XgjDnh4XPD7vfMoyJOyT+KA+c2zuXVR98yQmp/Bl5ZFdGFwJuFcVrCw7IDo0EGKs7UCww==
      Log ID: 23:27:EF:DA:35:25:10:DB:C0:19:EF:49:1A:E3:FF:1C:C5:A4:79:BC:E3:78:78:36:0E:E3:18:CF:FB:64:F8:C8
      Window Start: 2022-01-01T00:00Z
      Window End: 2023-01-07T00:00Z
    • Name: Testflume 2023
      URI: https://testflume.ct.letsencrypt.org/2023
      Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8aLpnumqeISmQEB3hKPgtPJQG3jP2IftfaUQ4WPUihNBwUOEk1R9BMg5RGQwebWSsRlGIRiCvtE97Q45Vh3mqA==
      Log ID: 55:34:B7:AB:5A:6A:C3:A7:CB:EB:A6:54:87:B2:A2:D7:1B:48:F6:50:FA:17:C5:19:7C:97:A0:CB:20:76:F3:C6
      Window Start: 2023-01-01T00:00Z
      Window End: 2024-01-07T00:00Z

Log Operations

To enumerate the included roots for a particular CT log, you can run the following command in the terminal of your choice:

$ for i in $(curl -s https://oak.ct.letsencrypt.org/2020/ct/v1/get-roots | jq -r '.certificates[]'); do
    echo '------'; base64 -d <<< "${i}" | openssl x509 -inform der -noout -issuer -serial
done

Submitting certificates to a CT log is typically handled by certificate authorities. If you'd like to experiment with this, begin by retrieving an arbitrary PEM encoded certificate from our favorite website. Copy and paste the following block into your terminal.

$ echo | \
openssl s_client \
    -connect "letsencrypt.org":443 \
    -servername "letsencrypt.org" \
    -verify_hostname "letsencrypt.org" 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.crt

Before a certificate can be submitted, it must be JSON encoded within a special structure. You can use the JSON generator provided by https://crt.sh/gen-add-chain to perform this task. The crt.sh utility will return a JSON bundle. Download the bundle to your computer, rename the file if you must, and issue the following command to perform the add-chain operation (RFC 6962 section 4.1) to submit the certificate to a CT log. The output will contain a signature which is in fact an SCT. More on the signature in a moment.

$ curl \
    -X POST \
   --data @example-json-bundle.json \
    -H "Content-Type: application/json" \
    -H "User-Agent: lets-encrypt-ct-log-example-1.0" \
   https://oak.ct.letsencrypt.org/2020/ct/v1/add-chain
{"sct_version":0,"id":"5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=","timestamp":1576689972016,"extensions":"","signature":"BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E"}

To confirm that the CT log was signed by the Oak 2020 shard, we use the id field from the command above and run it through the following command. The result of this will output the Log ID of the CT log.

$ base64 -d <<< "5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=" | xxd -p -c 64 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]'
E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E

Using the signature field, we can verify that the certificate was submitted to a log. Using our SCT deep dive guide, you could further decode this value.

$ base64 -d <<< "BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E" | xxd -p -c 16 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]'
04:03:00:47:30:45:02:21:00:E0:E9:AE:4D:C7:ED:F4
9A:B7:5C:BB:5C:75:9C:FD:5E:29:D7:0A:F6:04:63:54
5D:49:02:02:5D:AC:8C:27:ED:02:20:7B:AE:8E:42:81
2E:64:33:E4:29:7F:54:6E:82:DF:9E:1C:3F:D8:31:5B
47:5F:80:C5:81:F8:0D:B2:1E:2F:84