Shell script for monitoring certificates emitted for a domain via Certificate Transparency logs
This script compares known certificates (stored locally) and registered certificates logged in public Certificate Transparency logs. It uses certspotter API and can retrieves certificates directly from host when it finds a registered certificate not already known.
Syntax of this script mainly inspired by check_ssl_cert, by Matteo Corti.
This script is free software, licensed as GPLv3.
Usage: check_ct_logs -H domain -d certificate_directory [-a API_KEY -h -g -D] This script compares known certificates (stored locally) and registered certificates logged in public Certificate Transparency logs. It uses certspotter API, from https://certspotter.com Arguments: -H, --host server -d, --certificate-directory where to find known certificates (PEM encoded) Options: -h, --help print this information and exits -a, --api-key CertSpotter API key. Needed if you do checks on a regular basis. Get one on : https://sslmate.com/signup?for=certspotter_api -c, --certspotter Certspotter API URL. Defaults to https://api.certspotter.com/v1/issuances But you can change to your instance if you run certspotter locally (see https://github.com/SSLMate/certspotter ) -i, --include-subdomains if set, the include subdomains option is set this will search for the hostname and all subdomains -g, --get-from-host if set, tries to contact host on port 443 to retrieve certificate from there if there is a registered certificate not known locally. -D, --debug print debug information
Just put this script along your other checks, and put known certificates in a directory that your monitoring software can read (and write if you use the --get-from-host option)
If you plan to use it for monitoring, you should get an API key for cert spotter (free up to 1000 queries / hour)
Please report bugs to https://github.com/Samuel-BF/check_ct_logs