Ostania aktualizacja: | Zobacz całą dokumentację
Certificate Transparency (CT) is a system for logging and monitoring the issuance of TLS certificates. CT greatly enhances everyone's ability to monitor and study certificate issuance, and these capabilities have led to numerous improvements to the CA ecosystem and Web security. As a result, CT is rapidly becoming critical infrastructure.
Let's Encrypt submits all certificates we issue to CT logs. We also operate two annually sharded CT logs named Oak and Sapling. All publicly trusted certificate authorities are welcome to submit to our logs. Many certificate authority root certificates have already been included in our CT logs. If you operate a Certificate Authority and your issuer is not in our accepted issuers list, please file an issue here.
Sign up for notifications in the CT announcements category of our community forum to see major announcements about our CT logs.
Funding
If your organization would like to help us continue this work, please consider sponsoring or donating.
Architecture
Check out our blog to see How Let's Encrypt Runs CT Logs!
Log Monitoring
Let's Encrypt has created an open-source CT log monitoring tool called CT Woodpecker. We use this tool to monitor the stability and compliance of our own logs, and we hope others will find it to be useful as well.
CT Logs
Information about the various lifecycle states that a CT log progresses through can be found here.
Production
- Oak is incorporated into the Apple and Google CT programs.
- Our production ACME API environment submits certificates here.
-
-
Name: Oak 2019
URI: https://oak.ct.letsencrypt.org/2019
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFkqNKRuZ+Z8IOsnNJrUZ8gwp+KKGOdQrJ/HKhSadK/SJuoCc9+dxQ7awpmWIMr9SKcQeG5uRzG1kVSyFN4Wfcw==
Log ID:65:9B:33:50:F4:3B:12:CC:5E:A5:AB:4E:C7:65:D3:FD:E6:C8:82:43:77:77:78:E7:20:03:F9:EB:2B:8C:31:29
Window Start:2019-01-01T00:00Z
Window End:2020-01-07T00:00Z
State: Rejected - Shard Expired -
Name: Oak 2020
URI: https://oak.ct.letsencrypt.org/2020
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfzb42Zdr/h7hgqgDCo1vrNJqGqbcUvJGJEER9DDqp19W/wFSB0l166hD+U5cAXchpH8ZkBNUuvOHS0OnJ4oJrQ==
Log ID:E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
Window Start:2020-01-01T00:00Z
Window End:2021-01-07T00:00Z
State: Rejected - Shard Expired -
Name: Oak 2021
URI: https://oak.ct.letsencrypt.org/2021
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELsYzGMNwo8rBIlaklBIdmD2Ofn6HkfrjK0Ukz1uOIUC6Lm0jTITCXhoIdjs7JkyXnwuwYiJYiH7sE1YeKu8k9w==
Log ID:94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
Window Start:2021-01-01T00:00Z
Window End:2022-01-07T00:00Z
State: Rejected - Shard Expired -
Name: Oak 2022
URI: https://oak.ct.letsencrypt.org/2022
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhjyxDVIjWt5u9sB/o2S8rcGJ2pdZTGA8+IpXhI/tvKBjElGE5r3de4yAfeOPhqTqqc+o7vPgXnDgu/a9/B+RLg==
Log ID:DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
Window Start:2022-01-01T00:00Z
Window End:2023-01-07T00:00Z
State: Rejected - Shard Expired -
Name: Oak 2023
URI: https://oak.ct.letsencrypt.org/2023
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz0OeL7jrVxEXJu+o4QWQYLKyokXHiPOOKVUL3/TNFFquVzDSer7kZ3gijxzBp98ZTgRgMSaWgCmZ8OD74mFUQ==
Log ID:B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Window Start:2023-01-01T00:00Z
Window End:2024-01-07T00:00Z
State: Rejected - Shard Expired -
Name: Oak 2024h1
URI: https://oak.ct.letsencrypt.org/2024h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVkPXfnvUcre6qVG9NpO36bWSD+pet0Wjkv3JpTyArBog7yUvuOEg96g6LgeN5uuk4n0kY59Gv5RzUo2Wrqkm/Q==
Log ID:3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
Window Start:2023-12-20T00:00Z
Window End:2024-07-20T00:00Z
State: Usable -
Name: Oak 2024h2
URI: https://oak.ct.letsencrypt.org/2024h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE13PWU0fp88nVfBbC1o9wZfryUTapE4Av7fmU01qL6E8zz8PTidRfWmaJuiAfccvKu5+f81wtHqOBWa+Ss20waA==
Log ID:3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Window Start:2024-06-20T00:00Z
Window End:2025-01-20T00:00Z
State: Usable -
Name: Oak 2025h1
URI: https://oak.ct.letsencrypt.org/2025h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKeBpU9ejnCaIZeX39EsdF5vDvf8ELTHdLPxikl4y4EiROIQfS4ercpnMHfh8+TxYVFs3ELGr2IP7hPGVPy4vHA==
Log ID:A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Window Start:2024-12-20T00:00Z
Window End:2025-07-20T00:00Z
State: Usable -
Name: Oak 2025h2
URI: https://oak.ct.letsencrypt.org/2025h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtXYwB63GyNLkS9L1vqKNnP10+jrW+lldthxg090fY4eG40Xg1RvANWqrJ5GVydc9u8H3cYZp9LNfkAmqrr2NqQ==
Log ID:0D:E1:F2:30:2B:D3:0D:C1:40:62:12:09:EA:55:2E:FC:47:74:7C:B1:D7:E9:30:EF:0E:42:1E:B4:7E:4E:AA:34
Window Start:2025-06-20T00:00Z
Window End:2026-01-20T00:00Z
State: Usable -
Name: Oak 2026h1
URI: https://oak.ct.letsencrypt.org/2026h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmdRhcCL6d5MNs8eAliJRvyV5sQFC6UF7iwzHsmVaifT64gJG1IrHzBAHESdFSJAjQN56TYky+9cK616MovH2SQ==
Log ID:19:86:D4:C7:28:AA:6F:FE:BA:03:6F:78:2A:4D:01:91:AA:CE:2D:72:31:0F:AE:CE:5D:70:41:2D:25:4C:C7:D4
Window Start:2025-12-20T00:00Z
Window End:2026-07-20T00:00Z
State: Pending -
Name: Oak 2026h2
URI: https://oak.ct.letsencrypt.org/2026h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEanCds5bj7IU2lcNPnIvZfMnVkSmu69aH3AS8O/Y0D/bbCPdSqYjvuz9Z1tT29PxcqYxf+w1g5CwPFuwqsm3rFQ==
Log ID:AC:AB:30:70:6C:EB:EC:84:31:F4:13:D2:F4:91:5F:11:1E:42:24:43:B1:F2:A6:8C:4F:3C:2B:3B:A7:1E:02:C3
Window Start:2026-06-20T00:00Z
Window End:2027-01-20T00:00Z
State: Pending
-
Name: Oak 2019
Testing
- SCTs from these logs SHOULD NOT be incorporated into publicly trusted certificates.
- The Let's Encrypt production and staging ACME API environments both submit certificates to Sapling, but the production environment does not use the resulting SCTs.
- We test new versions of Trillian and certificate-transparency-go here before deploying them to production.
- Sapling's accepted roots list includes all of the Oak accepted roots, plus additional test roots.
- Sapling can be used by other certificate authorities for testing purposes.
-
-
Name: Sapling 2022h2
URI: https://sapling.ct.letsencrypt.org/2022h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6m0gtMM2pcVTxVjkztm/ByNrF32xacdVnbsYwlzwtqN0vOwqcXLtPkfYqH+q93hlJwEBsX1MnRXDdlMHkkmZJg==
Log ID:23:2D:41:A4:CD:AC:87:CE:D9:F9:43:F4:68:C2:82:09:5A:E0:9D:30:D6:2E:2F:A6:5D:DC:3B:91:9C:2E:46:8F
Window Start:2022-06-15T00:00Z
Window End:2023-01-15T00:00Z
-
Name: Sapling 2023h1
URI: https://sapling.ct.letsencrypt.org/2023h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE09jAcGbw5CDCK2Kg0kkmmDydfDfZAA8K64BufU37yx3Jcy/ePy1EjAi2wUPVJ0xsaNMCU37mh+fBV3+K/cSG8A==
Log ID:C1:83:24:0B:F1:A4:50:C7:6F:BB:00:72:69:DC:AC:3B:E2:2A:48:05:D4:db:E0:49:66:C3:C8:ab:C4:47:B0:0C
Window Start:2022-12-15T00:00Z
Window End:2023-07-15T00:00Z
-
Name: Sapling 2023h2
URI: https://sapling.ct.letsencrypt.org/2023h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbdCykRsTPRgfjKVQvINRLJk3gy+2qNKOU48bo/sWO0ko75S92C+PBDxsqMEd0YpCYYLogCt2LAK/U4H7UwHsjA==
Log ID:ED:AB:9D:1D:DD:83:73:95:9F:F5:2A:88:E4:6B:B4:BC:C3:C4:CC:4D:76:8A:60:CC:FF:4E:36:2D:7F:B8:D6:68
Window Start:2023-06-15T00:00Z
Window End:2024-01-15T00:00Z
-
Name: Sapling 2024h1
URI: https://sapling.ct.letsencrypt.org/2024h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Yn4OKJQuwEwo1/BeVBh1NYkQBnS8sYmMfQr/VdXOGqPcbwcpw0TtjJBYmn8FA+ZT7hnt7OfF4RTjLNW3bWOkw==
Log ID:AA:6C:B0:C5:C9:F4:C4:9D:8D:8E:A9:0C:39:17:E0:D7:0A:D9:22:10:BF:05:7F:41:50:93:82:CC:35:0C:98:46
Window Start:2023-12-15T00:00Z
Window End:2024-07-15T00:00Z
-
Name: Sapling 2024h2
URI: https://sapling.ct.letsencrypt.org/2024h2
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWipy8ZdRGs2Y5tBb8h8c4UUREnT/YMbm+FEUQBBScf85txhGRHNN/sNN0L/KDiGu/GsrOBCkDruDfHkD42eZXQ==
Log ID:85:1B:AE:8E:EE:33:C1:B9:87:3F:C4:9C:7A:7C:27:65:66:3B:6B:80:63:03:04:0A:EC:A6:C1:11:A5:AB:E9:D7
Window Start:2024-06-15T00:00Z
Window End:2025-01-15T00:00Z
-
Name: Sapling 2025h1
URI: https://sapling.ct.letsencrypt.org/2025h1
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0orejUR5RSyoqJ0Hyu2gAwO6d9OPGtKgqQwdBMNGkKY1Bms1vzrHaUD5LDEvjB7Ug/ThaXz9eQH03w3jFii0uw==
Log ID:21:E5:1A:44:D8:B9:E7:54:0E:A7:FB:E0:BA:D7:77:36:15:60:66:84:D1:5A:EB:33:E6:45:B4:E9:55:F3:88:83
Window Start:2024-12-15T00:00Z
Window End:2025-07-15T00:00Z
-
Name: Sapling 2022h2
Sunlight
- Let's Encrypt is testing running logs based on Sunlight.
- SCTs from these logs SHOULD NOT be incorporated into publicly trusted certificates.
- Twig will stay as a test log, and accepts the same CAs as Sapling.
- Willow and Sycamore accept the same as Oak, and are anticipated to become production logs.
-
-
Name: Twig 2025h1b
URI: https://twig.ct.letsencrypt.org/2025h1b
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/d6uF9Yw5/3Lo4nJIdWqY0D9H/v/J/WHWqgl8gmTa6AKiBo5CFddHwlU3wj+pgaQm2OhzV2MnXZCOpbLxyk8LA==
Log ID:lZC9hfLPxQZJmKurW7JsLnoXZwKRHBO2i0gF4euUJ+8=
Window Start:2024-12-17T00:00Z
Window End:2025-06-17T00:00Z
-
Name: Twig 2025h2b
URI: https://twig.ct.letsencrypt.org/2025h2b
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1WZDmBaw9OoQTk8Yf/IvYkXPw6R6A+uBwHf1L4OrI4gsf/g5s9qtFEF6/NhG3R0+nxfha3apbUjdtNWln9yvkg==
Log ID:wF0gVDhcss+yF5INLw3Hg1JhR7GqT++Xynjh8LuE/O0=
Window Start:2025-06-17T00:00Z
Window End:2025-12-16T00:00Z
-
Name: Sycamore 2025h1b
URI: https://sycamore.ct.letsencrypt.org/2025h1b
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELnRI9kk9Ahd4T2qNIrqLPvf5lO44NBYwD9lwoV9MqerizPLRDEjzLw2GXa7MonZEXhcMABNHgViY6kb1LeBDJg==
Log ID:TgJ3oMtvarf2feceaghbLRgMKXeCS/tMK72dLNQR874=
Window Start:2024-12-18T00:00Z
Window End:2025-06-18T00:00Z
-
Name: Sycamore 2025h2b
URI: https://sycamore.ct.letsencrypt.org/2025h2b
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEocuurm/JTMcynwKIeUHntdBm8OuLHcK6HgWD5wkE6JCcsPx1i1jAnULV8TSrzdzb8YSIx+VgFp+/YmqGUMHE5w==
Log ID:94/yCGmtl2pDc7SsqLOyAxSOFO3mi+FBU1uhNot7qAY=
Window Start:2025-06-18T00:00Z
Window End:2025-12-17T00:00Z
-
Name: Willow 2025h1b
URI: https://willow.ct.letsencrypt.org/2025h1b
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbNmWXyYsF2pohGOAiNELea6UL4/XioI3w6ChE5Udlos0HUqM7KOHIP9qBuWCVs6VAdtDXrvanmxKq52Whh2+2w==
Log ID:IX7IijpQPODOtMQx74xNVMHVjB9SuiP0KekrE2jAgWE=
Window Start:2024-12-19T00:00Z
Window End:2025-06-19T00:00Z
-
Name: Willow 2025h2c
URI: https://willow.ct.letsencrypt.org/2025h2c
Public Key:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaUvzqBm/C9pNUsVI1jqpms5OkW3Kk+Eb3/veW6P3ogOItkqqEvkZfU7zBbsvm1j1Ep003iNUGFOrilPl5TpCRg==
Log ID:kqECxXwi2rGMzCrnH9TMWcBdJR2hbHPiKBvT8LBImIc=
Window Start:2025-06-19T00:00Z
Window End:2025-12-18T00:00Z
-
Name: Twig 2025h1b
Log Operations
To enumerate the included roots for a particular CT log, you can run the following command in the terminal of your choice:
$ for i in $(curl -s https://oak.ct.letsencrypt.org/2020/ct/v1/get-roots | jq -r '.certificates[]'); do echo '------'; base64 -d <<< "${i}" | openssl x509 -inform der -noout -issuer -serial done
Submitting certificates to a CT log is typically handled by certificate authorities. If you'd like to experiment with this, begin by retrieving an arbitrary PEM encoded certificate from our favorite website. Copy and paste the following block into your terminal.
$ echo | \ openssl s_client \ -connect "letsencrypt.org":443 \ -servername "letsencrypt.org" \ -verify_hostname "letsencrypt.org" 2>/dev/null | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.crt
Before a certificate can be submitted, it must be JSON encoded within a special structure. You can use the JSON generator provided by https://crt.sh/gen-add-chain to perform this task. The crt.sh utility will return a JSON bundle. Download the bundle to your computer, rename the file if you must, and issue the following command to perform the add-chain operation (RFC 6962 section 4.1) to submit the certificate to a CT log. The output will contain a signature which is in fact an SCT. More on the signature in a moment.
$ curl \ -X POST \ --data @example-json-bundle.json \ -H "Content-Type: application/json" \ -H "User-Agent: lets-encrypt-ct-log-example-1.0" \ https://oak.ct.letsencrypt.org/2020/ct/v1/add-chain {"sct_version":0,"id":"5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=","timestamp":1576689972016,"extensions":"","signature":"BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E"}
To confirm that the CT log was signed by the Oak 2020 shard, we use the id field from the command above and run it through the following command. The result of this will output the Log ID of the CT log.
$ base64 -d <<< "5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=" | xxd -p -c 64 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]' E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
Using the signature field, we can verify that the certificate was submitted to a log. Using our SCT deep dive guide, you could further decode this value.
$ base64 -d <<< "BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E" | xxd -p -c 16 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]' 04:03:00:47:30:45:02:21:00:E0:E9:AE:4D:C7:ED:F4 9A:B7:5C:BB:5C:75:9C:FD:5E:29:D7:0A:F6:04:63:54 5D:49:02:02:5D:AC:8C:27:ED:02:20:7B:AE:8E:42:81 2E:64:33:E4:29:7F:54:6E:82:DF:9E:1C:3F:D8:31:5B 47:5F:80:C5:81:F8:0D:B2:1E:2F:84