Certificate Transparency
Overview
Certificate Transparency (CT) is an open framework of logs, monitors, and auditors created to help domain owners oversee digital certificates issued for their brands. CT logs help domain owners protect their brand by providing a way to find misissued or rogue certificates more easily. Certificate-issuing entities, like CAs, log certificates to comply with standards.
Or more simply certificate transparency logs are kept by CAs and the public can use these logs to detect a rogue actor trying to register a certificate for a domain they do not own.
Why do we need CT?
In short DNS tampering can occur and rogue certificates could be issued. Therefore without certificate transparency domain owners would be unaware a rogue certificate was issued for a domain they control. https://sslmate.com/blog/post/elizabeth_warren_and_certificate_transparency
Details
Signed Certificate Timestamp (SCT)
An SCT is a signed certificate timestamp. When a certificate authority or a server operator submits a certificate to a log, the log responds with an SCT. An SCT is essentially a promise that the log server will add the certificate to the log in a specific time. The time, known as the maximum merge delay (MMD), helps ensure that certificates are added to logs in a reasonable time. The SCT accompanies the certificate until the certificate is revoked. A TLS server must present the SCT to a TLS client (along with the SSL certificate) during the TLS handshake.
Example. Before the Amazon CA issues a publicly trusted SSL/TLS certificate for your domain, it submits the certificate to at least two certificate transparency log servers. These servers add the certificate to their public databases and return a signed certificate timestamp (SCT) to the Amazon CA. The CA then embeds the SCT in the certificate, signs the certificate, and issues it to you. The timestamps are included with other X.509 extensions. https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency
Tooling
Certificate Transparency Logs allow useful tools to be built on top of them.
Certspotter
curl 'https://api.certspotter.com/v1/issuances?domain=github.com&include_subdomains=true&expand=dns_names&expand=cert'
https://github.com/SSLMate/certspotter