Certificate Transparency logs explained

Every publicly trusted certificate issued today is written into a public, append-only ledger called a Certificate Transparency log. It is one of the quieter security wins of the last decade, and it doubles as a free reconnaissance and monitoring tool for your own domains.

Why CT logs exist

Before Certificate Transparency, a certificate authority could issue a certificate for your domain and nobody outside that exchange would know. A compromised or careless CA could hand an attacker a valid certificate for your bank, and the first sign might be an actual attack.

CT fixed this by requiring CAs to publish every certificate they issue to public logs. Browsers now expect to see proof of logging (an SCT) before they trust a certificate. The effect is that issuance is no longer secret: anyone can watch the logs and see exactly what was issued, by whom, and when.

What you can do with them

Inventory your own certificates. Searching the logs for your domain returns every certificate ever issued for it, including subdomains you may have forgotten. It is the fastest way to find that staging or legacy host still holding a valid cert.
Catch unauthorized issuance. A certificate for your domain that you did not request is a serious signal: a misconfigured CA, a compromised DNS or email validation, or an attacker. CT makes it visible.
Discover a target's surface. Security testers use CT logs to enumerate subdomains, because every certificate names the hosts it covers in its SAN field.

A note on what is exposed

Because the logs are public, the subdomains in your certificates are public too. Wildcard certificates (*.example.com) hide individual hostnames, which is one reason teams use them for internal services. There is no opting out of logging for a publicly trusted certificate.

You can search the logs for any domain with the CT Log Lookup tool. The certificates it surfaces can each be inspected further with the how to read an SSL certificate guide.