Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.
If you're like me, you want to know about new certificates that are issued for your domain names. In fact, that's the whole point of Certificate Transparency (CT), to be able to keep an eye on what Certification Authorities are doing in your name. Hardenize has supported real-time CT monitoring for several months already, but now we've added one simple yet very useful feature—email notifications for CT discoveries.
By default, CT discovery notifications are disabled. Before you enable this feature, however, you will first need to decide who in your organization is going to be responsible for certificate monitoring. At this time we support two options. In smaller organizations you can have everyone responsible, which means that everyone will receive notifications about important events, including CT discoveries. That may not work well in larger organizations, which is why the other option is to assign a dedicated management team to certificate management. If you choose this approach, only the members of this team will receive the notifications.
Back on the topic of CT discovery notifications, we support two different approaches. If you want to find out about every discovery as it happens, select the first option and you'll get exactly that. We do suspect that, after a while, you will grow tired of being notified about certificates you already know about, which is why other option is to notify you only about those discoveries we find unusual, or escalated, as we call them. For example, we escalate a discovery if we discover that it's violating your CAA policy. We also have a dozen or so custom rules that you can configure to either automatically dismiss new discoveries or manually escalate them based on certificate contents.