What is Certificate Transparency monitoring?
Every certificate issued by a public CA is published to public Certificate Transparency (CT) logs. CertSentry watches those logs for your registrable domain and tells you whenever a new certificate is issued for it — including for any subdomain.
Why you'd want this
A certificate you didn't expect can be the first sign of:
- a mis-issued or unauthorised certificate,
- shadow IT — a forgotten service or a team spinning something up under your domain,
- an attacker preparing a lookalike host for phishing.
Even when everything is legitimate, it's a complete audit trail of every certificate that exists for your domain — useful for security reviews and inventory.
How it works
When you enable CT on a monitor:
- The first sweep is a silent baseline — we record what already exists without alerting, so you don't get a wall of notifications for certificates you already know about.
- After that, any genuinely new certificate triggers an alert with the issuer and the names it covers.
- Identity is matched on the certificate's contents, so failing over between CT data sources never re-alerts on a certificate you've already seen.
Availability
Certificate Transparency monitoring is included on the Pro and Agency plans. See what's included in each plan.