Certificate Transparency and Monitoring

Certificate Transparency (CT) has become essential for detecting fraudulent or mistakenly issued certificates. All certificates issued after April 2018 must be logged to CT logs to be trusted by Chrome. Monitor these logs for any certificates issued for your domains, as unauthorized certificates could enable man-in-the-middle attacks. Implement automated monitoring using services like Facebook's CT Monitor or SSLMate's Cert Spotter.

Expect-CT headers instruct browsers to enforce Certificate Transparency requirements and report violations. Start with report-only mode to identify issues without impacting users: Expect-CT: max-age=86400, report-uri="https://example.com/ct-report". After verifying compliance, enable enforcement: Expect-CT: max-age=86400, enforce, report-uri="https://example.com/ct-report". This protection ensures browsers reject certificates lacking proper CT records.

CAA (Certificate Authority Authorization) DNS records specify which certificate authorities can issue certificates for your domains. These records prevent unauthorized certificate issuance by restricting approved CAs. Implement CAA records listing only CAs you actually use: example.com. CAA 0 issue "letsencrypt.org". Include notification addresses to receive alerts about violations: example.com. CAA 0 iodef "mailto:[email protected]". Regularly review and update CAA records as your certificate strategy evolves.

Continuous monitoring ensures your SSL/TLS configuration remains secure and functional. Implement automated scans using tools like SSL Labs' API, testssl.sh, or commercial scanning services. Monitor for configuration changes, expiring certificates, new vulnerabilities, and compliance degradation. Establish baselines and alert on deviations. Regular scanning catches configuration drift before it impacts security or availability.