Certificate Transparency - Discovery

[doloban]

The Majority of serious Certification Authorities, that issue TLS certificates, are involved in Certificate Transparency, so it seems like a good idea to be able to Discover TLS certificates for specific domain from CZERTAINLY.

The use case would be, as administrator, to be able to find all TLS certificates issued for my domains with the help of Certificate Transparency.

Specific use cases:

• Marketing department has websites on several addresses on several domains
• Support department has demo application servers hosted somewhere on Clouds
• Operations Department has production servers published on the internet

[3keyroman]

Hello @doloban , thanks for the suggestion.

We are currently finalizing the design of new connector that will allow to discover certificates from CT logs based on domains and subdomains. In combination with triggers and notifications, it will provide users of CZERTAINLY with the monitoring capabilities for you public certificates.

The connector is planned to be released during this September.
It should work in the following way:

1. Insert domains you would like to discover certificates for from CT logs
2. Do you want to discover certificates also for subdomains?
3. Do you want to discover all certificates?
4. Select specific dates before and after to choose from specific period when the certificates were issued and logged.

You should be able to schedule such discovery to monitor new certificates in time and receive notification if something has changed.

Example use case:
We would like to monitor certificates for only whitelisted subdomains. Then we can set the schedule for discovery in CT logs on daily basis. Setup triggers to apply rules on certificates that have unknown subdomain, and notify such certificates, or apply some specific actions.

Do not hesitate to provide any details about how you would like to work with the connector. It will help us to better understand what you are trying to achieve.

With best regards,
Roman

[3keyroman]

@doloban , we have implemented CT-Logs-Discovery-Provider that can be deployed with the tag develop-latest and used within the CZERTAINLY. It is also supported by the lates development version of Helm chart 0.0.0.

This connector will discover certificates from CT logs that are unexpired for some specific domain or subdomains using integration with the SSLMate CT Search API. Discovered certificates can be managed in the consistent way as others that are included in the inventory.

You can try it, and send your feedback. We would be happy to hear from you, what is the use case you are looking for.