SEC-007 recommended SSL/Certificates

SSL transparency reports

Monitor Certificate Transparency logs to receive alerts when new SSL certificates are issued for your domains, detecting potential compromise.

Question to ask

"Would you know if someone issued a cert for your domain?"

Pass criteria

  • CT monitoring service configured
  • Alerts route to appropriate team
  • Can produce list of all valid certificates

Fail criteria

  • No CT monitoring in place
  • Monitoring exists but no alerting
  • Unknown certificates found in CT logs

Verification guide

Severity: Recommended

Check automatically:

  1. Check current certificates via CT logs:
# Query crt.sh for issued certificates
curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[] | {issuer: .issuer_name, not_before: .not_before, not_after: .not_after}' | head -20
  1. Check for CT monitoring config in codebase:
# Look for CT monitoring references
grep -riE "certificate.?transparency|ct.?monitor|cert.?alert|ssl.?monitor" . --include="*.yml" --include="*.yaml" --include="*.json" --include="*.md" 2>/dev/null
  1. Check Cloudflare CT monitoring (Pro+ plans):
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/ssl/certificate_packs" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result'

CT Monitoring services:

  • Cloudflare - Built-in for Pro+ plans
  • Cert Spotter (sslmate.com) - Free monitoring + email alerts
  • Facebook CT Monitor - developers.facebook.com/tools/ct
  • crt.sh - Free lookup (no alerting)

Ask user:

  • Is there a CT monitoring service configured?
  • Where do alerts go when new certs are issued?
  • Has a CT alert ever fired? (proves it works)

Cross-reference with:

  • SEC-001 (Cloudflare) - Cloudflare can provide CT monitoring
  • Section 35 (Incident Response) - Rogue cert issuance is a security incident

Pass criteria:

  • CT monitoring service configured for all domains
  • Alerts route to security/ops team
  • Can produce list of all valid certificates for domains

Fail criteria:

  • No CT monitoring in place
  • CT monitoring exists but no alerting configured
  • Unknown/unexpected certificates found in CT logs
  • Team unaware of recently issued certificates

Evidence to capture:

  • CT monitoring service in use
  • Alert destination
  • Recent certificate list from crt.sh
  • Date of last CT alert (if any)

Section

13. Infrastructure Security

Observability

← Previous

SEC-006

Subresource Integrity (SRI) and GTM controls

 Next →

DOC-001

Feature documentation exists (human + AI readable)