zkdefi · notes

A publication-grade monograph generated from Certificate Transparency

2026-03-29 · CertTransparencySearch

Certificate Transparency was designed to make rogue certificate issuance visible. The logs are enormous, contiguous, public. Almost everyone uses them as a search index — "did anyone issue a cert for example.com I didn't expect?" — and then walks away. But the logs are also the most complete, regulator-grade picture of a domain estate's actual cryptographic posture, and almost no tooling treats them that way.

CertTransparencySearch is built for the latter use case. The output is a monograph, not a search result.

The pipeline:

  1. Find currently-valid leaf certificates whose Subject Alternative Names contain configured search terms. Search terms live in a .local.txt that's gitignored — the public repo never sees what you were looking for.
  2. Verify each is actually a leaf, not a CA certificate or a precertificate that someone forgot was distinct from the issued cert. CT logs include both. People who don't filter end up with double-counts and confused issuer attributions.
  3. Assess intended usage from Extended Key Usage and KeyUsage extensions. A cert with serverAuth is a different kind of evidence than a cert with clientAuth, and they imply different organizational practices.
  4. Scan the DNS names exposed across the SAN corpus. Most domains exposed by a SAN have an effective CAA policy. Walk the chain.
  5. Evaluate the CAA policy for each name. CAA is the closest thing public PKI has to a "who is allowed to issue for this name" assertion. Where CAA is silent, anyone can issue. Where it's set, you can read the issuance governance from outside the organization.
  6. Cross-reference an optional local-only Subject-CN cohort — names you specifically care about — against the wider estate.
  7. Emit the monograph. Markdown for editing. LaTeX for the print pipeline. PDF for the regulator who's going to read this and not your git log.

The discipline that makes this useful is that the output is meant to be shared. So the repo separates configuration from data: real search terms live only in domains.local.txt, real focused subject-CN cohorts live only in focus_subjects.local.txt, generated artefacts live in output/, caches live in their own directory. The public source tree never reveals what was looked at, only how it was looked at.

There is a real shortage of tools that treat Certificate Transparency as a primary source for institutional analysis rather than a real-time alerting feed. The CA ecosystem's compliance work, the regulator-side audits, the institutional posture assessments — these all want a monograph, not a notification. This builds the monograph.

What becomes possible: a one-shot, reproducible report that a regulator, an auditor, or a senior security architect can read end-to-end and arrive at the same conclusions as the analyst who ran the pipeline.

#pki #certificate-transparency #ca #dns #monograph