Certificate Transparency Monitoring
Certificate Transparency (CT) Monitoring sends you emails when certificates — including backup certificates — are issued for your domain. This feature is in public beta and is opt-in.
Every website must have a certificate to be trusted by major browsers. A certificate is a proof of identity — it says that you are who you say you are. These certificates help browsers like Google Chrome “know” that a connection is secure before presenting content. Certificates are recorded in public CT logs, such as Google’s Argon log and Cloudflare’s Nimbus log.
If you enable Certificate Transparency (CT) Monitoring, Cloudflare will send you an email whenever your domain is recognized in a CT log. Usually, these certificates are legitimate and do not require further action. Cloudflare sends emails so you can double-check for yourself. If you use a shared certificate, you may receive emails for domains or subdomains that do not belong to you.
In rare cases, you may believe a certificate is illegitimate. This is when you should take action.
Opt in and out
Alerts are turned off by default. If you want to receive alerts, go to SSL/TLS > Edge Certificates and enable Certificate Transparency Monitoring. If you are in a Business or Enterprise zone, select Add Email.
|All account members||All account members||Specified email addresses||Specified email addresses|
To stop receiving alerts, disable Certificate Transparency Monitoring or remove your email from the feature card.
Emails to be concerned about
Most certificate alerts are routine. Cloudflare sends alerts whenever a certificate for your domain appears in a log. Certificates expire (and must be reissued), so it is completely normal to receive issuance emails. If your domain is listed in the email, along with reasonable ownership and certificate information, then no action is required.
Additionally, you should check whether the certificate was issued through Cloudflare. To view all Cloudflare-issued certificates and backup certificates - which require no additional actions - visit the Edge Certificates page in the dashboard.
You should take action when something is clearly wrong, such as if you:
- Do not recognize the certificate issuer
- Have recently noticed problems with your website
How to take action
Option 1: Contact certificate authorities
Only Certificate Authorities can revoke malicious certificates. If you believe an illegitimate certificate was issued for your domain, contact the Certificate Authority listed as the Issuer in the email.
Option 2: Contact domain registrars
Domain registrars may be able to suspend potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars.
Option 3: Improvise
There are other ways to combat malicious certificates. You can warn your visitors with an on-site notification, ask browser makers (Google for Chrome, etc.) to block these domains, or you can contact us to help combat malicious certificates.
If someone is attempting to impersonate you online, you should absolutely take action. This is usually difficult to recognize, so exercise caution. Remember: the vast majority of certificates are not malicious. Only take action if you believe something is wrong.
HTTP Public Key Pinning
Certificate Transparency Monitoring addresses the same problems as HTTP Public Key Pinning (HPKP), but with fewer technical issues.
Cloudflare does not offer or support HPKP and advises against using it with Universal SSL.