The only way to get full visibility to all certificates for an organization’s domains, is using Certificate Transparency logs. Certificate transparency (CT) is a security standard designed to increase the transparency and accountability of the certificate issuance process. CT logs are public, append-only cryptographically verifiable logs that record the issuance and revocation of SSL/TLS certificates, allowing anyone to verify the validity and authenticity of a certificate.
According to Google and the US Department of Homeland Security, organizations must use a CT log monitoring solution to ensure that their certificates are properly recorded in CT logs and to prevent attacks by staying informed about changes to their certificates. In this post, we will review some of the best CT log monitoring solutions recommended by Google.
When choosing a CT log monitoring solution, it’s important to consider your specific needs and preferences. Some solutions may be better suited to smaller organizations, while others may be more appropriate for larger enterprises. Additionally, it’s important to consider the level of support and expertise provided by the solution provider, as well as the price and overall value of the solution.
The monitoring solutions are broken down into two types, email alert only services that will send you an email when a new certificate is created, and full fledge tools that help you improve your SSL Health.
Keytos’ EZMonitor is an easy-to-use tool that allows users to monitor all their domains and get full visibility into all the domains and subdomains for the organization. While most of the tools on the list took the approach of certificate monitoring and visibility, EZmonitor gives that visibility but also focuses on security alerts, such the over 30,000 Azure domains vulnerable to take over that it found you can see EZMonitor’s growing list of ssl scanning alerts.
Cert Spotter is an easy-to-use tool that allows users to monitor one or more CT logs for new certificates. Similar to the other tools listed in this post, it is fed from public information, so it is a fully SaaS offering that does not require any infrastructure or installation.
Similar to the other tools, Hardenize is an easy-to-use tool that does not require installation and it will help you discover, manage and scan your network perimeter. Hardenize and EZMonitor al the only two tools that do not only provide publicly trusted certificate and endpoint scanning, but also allow you to scan your internal network and monitor your internal endpoints.
DigiCert’s Certificate Inspector sends email alerts when a new DigiCert certificate for one of your domains is added to a Certificate Transparency Log as well as an emergency alert if a non-DigiCert is issued for one of your domains.
Similar to DigiCert’s tools, Cloudflare customers can opt-in for email notifications for when a certificate for one of their Cloudflare managed domains is issued.
In conclusion, all these solutions are considered among the best CT log monitoring tools available. They offer a range of features and capabilities to help users monitor and manage their CT logs, including real-time notifications, easy search and filtering, and detailed certificate information. Choosing the right CT log monitoring solution will depend on your specific needs and preferences, but any of the above options can help ensure the security and integrity of your organization’s certificates.