CT Monitor | CertControl Docs

Get alerted whenever a new certificate is issued for your domains — catch unauthorised issuances and shadow IT the moment they appear in the public logs.

How it works

Every publicly trusted TLS certificate must be logged in a Certificate Transparency (CT) log before browsers will trust it. CertControl polls these logs daily via crt.sh (with automatic fallback to CertSpotter) and alerts you to every new certificate issued for your monitored domains.

Each alert is classified as either:

known — the certificate's SAN matches an endpoint already in your monitored list
unknown — the certificate was issued for a hostname not yet in your inventory. This may indicate shadow IT, a misconfiguration, or an unauthorised issuance

Unknown certificates automatically trigger the auto-discovery scanner to investigate the new hostname.

Add domains to monitor

Go to CT Monitor in the left-hand menu and click Add domain. Enter a root domain — for example example.com. CertControl will monitor this domain and all its subdomains.

Tip: Add every domain your organisation owns — including older acquired domains and internal-use domains that may have received public certificates.

Automated daily checks

CertControl runs CT checks automatically every night. Each run fetches all newly logged certificates since the last check, deduplicates them by serial number, and creates alerts only for new issuances. You do not need to do anything — alerts appear automatically in the CT Monitor dashboard.

You can also trigger a manual check at any time by clicking Run check now on any domain, or run a check for all monitored domains at once.

Review alerts

Each alert shows the certificate's:

Subject CN and full SAN list — what hostnames the certificate covers
Issuer — which CA signed it (useful for detecting certificates from unexpected CAs)
Validity period — issue date and expiry
crt.sh link — direct link to the public CT log entry for investigation

Investigate unknown certificates immediately. A certificate issued from an unexpected CA or for an unexpected hostname may indicate a compromised CA, a misconfigured ACME client, or an insider threat.

Acknowledge alerts

Once you have reviewed an alert and confirmed it is legitimate, click Acknowledge to mark it as reviewed. Acknowledged alerts are removed from the active queue but remain in the history for audit purposes. Deleting an alert removes it entirely (admin only).

Configure CAA records (recommended)

To prevent unauthorised certificate issuances at the source, add CAA DNS records to your domains. CAA records tell CAs which ones are allowed to issue certificates for your domain. Any CA not listed will refuse to issue.

Example: example.com. CAA 0 issue "letsencrypt.org" — only allows Let's Encrypt to issue for this domain. See the CAA records guide for a full walkthrough.