Comment by jpalomaki

3 years ago

As mentioned there are services for doing this (I've been using for example the free service from Facebook [1])

Since the certificates are nowadays renewing quite often, it's very easy to just end up ignoring these notifications. To really get the benefits, I think you should somehow combine these with logs from the legit cert renewals and only alert when something strange pops up.

[1] https://developers.facebook.com/tools/ct/search/

Indeed, a CT monitor which sends alerts about legitimate certificates is almost useless due to noise. My service, Cert Spotter, provides an API endpoint[1] which you can upload your CSRs to, so you don't get alerted about certificates using the same key as the CSR. The open source version of Cert Spotter can invoke a script[2] when a certificate is discovered, and the script can cross reference against a list of legitimate certs.

[1] https://sslmate.com/help/reference/certspotter_authorization...

[2] https://github.com/SSLMate/certspotter/blob/master/man/certs...

  • Could it check against public key for the certificate?

    • Yes, the script can consult the $PUBKEY_SHA256 environment variable to get the hash of the certificate's public key.