Certificate Transparency Monitoring
Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain.
CT Monitoring alerts are triggered not only by Cloudflare processes - including backup certificates -, but whenever a certificate that covers your monitored domain is issued by a Certificate Authority (CA) and added to a public CT log. You can learn more about how this works in the introductory blog post ↗.
Free | Pro | Business | Enterprise | |
---|---|---|---|---|
Availability | Yes | Yes | Yes | Yes |
Email Recipients | All account members | All account members | Specified email addresses | Specified email addresses |
Alerts are turned off by default. If you want to receive alerts, go to SSL/TLS > Edge Certificates ↗ and enable Certificate Transparency Monitoring. If you are in a Business or Enterprise zone, select Add Email.
To stop receiving alerts, disable Certificate Transparency Monitoring or remove your email from the feature card.
Most certificate alerts are routine. Cloudflare sends alerts whenever a certificate for your domain appears in a log. Certificates expire (and must be reissued), so it is completely normal to receive issuance emails. If your domain is listed in the email, along with reasonable ownership and certificate information, then no action is required.
Additionally, you should check whether the certificate was issued through Cloudflare. Cloudflare partners with multiple CAs to provide certificates. To view all Cloudflare-issued certificates and backup certificates - which require no additional actions - visit the Edge Certificates page ↗ in the dashboard.
You should take action when something is clearly wrong, such as if you:
-
Do not recognize the certificate issuer.
-
Have recently noticed problems with your website.
Only Certificate Authorities can revoke malicious certificates. If you believe an illegitimate certificate was issued for your domain, contact the Certificate Authority listed as the Issuer in the email.
Domain registrars may be able to suspend potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars.
There are other ways to combat malicious certificates. You can warn your visitors with an on-site notification or ask browser makers (Google for Chrome, etc.) to block these domains.
If someone is attempting to impersonate you online, you should absolutely take action. This is usually difficult to recognize, so exercise caution. Remember: the vast majority of certificates are not malicious. Only take action if you believe something is wrong.
Certificate Transparency Monitoring addresses the same problems as HTTP Public Key Pinning (HPKP), but with fewer technical issues ↗.
Cloudflare does not offer or support HPKP and advises against using it with Universal SSL.