CT Log (Certificate Transparency Log)

An append-only, cryptographically verifiable log of all TLS certificates submitted to the Certificate Transparency ecosystem. CT logs use a Merkle tree structure so that any inclusion or tampering can be independently verified by log monitors. When a CA submits a certificate to a CT log, the log returns a Signed Certificate Timestamp (SCT) that browsers check during the TLS handshake. Public CT logs are operated by Google (Argon, Xenon), Cloudflare (Nimbus), DigiCert, and others. Domain owners can monitor CT logs for unauthorised certificate issuance using services like crt.sh.