|
1 | 1 | --- |
2 | 2 | title: Certificate Transparency (CT) Logs |
3 | 3 | slug: ct-logs |
4 | | -lastmod: 2025-08-27 |
| 4 | +lastmod: 2025-12-11 |
5 | 5 | show_lastmod: 1 |
6 | 6 | --- |
7 | 7 |
|
@@ -40,84 +40,46 @@ <h2>Funding</h2> |
40 | 40 | <a href="https://www.abetterinternet.org/sponsor/">sponsoring or donating</a>. |
41 | 41 | </p> |
42 | 42 |
|
43 | | -<h2>Architecture</h2> |
44 | | - |
45 | | -<p> |
46 | | - Check out our blog to see |
47 | | - <a href="https://letsencrypt.org/2019/11/20/how-le-runs-ct-logs.html" |
48 | | - >How Let's Encrypt Runs CT Logs</a |
49 | | - >! |
50 | | -</p> |
51 | | - |
52 | | -<h2>Log Monitoring</h2> |
53 | | - |
54 | | -<p> |
55 | | - Let's Encrypt has created an open-source CT log monitoring tool called |
56 | | - <a href="https://github.com/letsencrypt/ct-woodpecker">CT Woodpecker</a>. We |
57 | | - use this tool to monitor the stability and compliance of our own logs, and we |
58 | | - hope others will find it to be useful as well. |
59 | | -</p> |
60 | | - |
61 | 43 | <h2>CT Logs</h2> |
62 | 44 | <p> |
63 | 45 | Information about the various lifecycle states that a CT log progresses through can be found <a href="https://googlechrome.github.io/CertificateTransparency/log_states.html">here</a>. |
64 | 46 | </p> |
65 | 47 |
|
66 | 48 | <h3>Sunlight</h3> |
67 | 49 | <p> |
68 | | - Let's Encrypt is transitioning to operating logs based on <a href="https://sunlight.dev">Sunlight</a>. |
| 50 | + Let's Encrypt currently operates <a href="https://c2sp.org/static-ct-api">static-ct</a> logs based on |
| 51 | + <a href="https://sunlight.dev">Sunlight</a>. |
| 52 | +</p> |
| 53 | +<p> |
69 | 54 | Information including accepted roots, public keys, log IDs, and shard intervals are available at each log's |
70 | 55 | landing page, linked below. |
71 | 56 | </p> |
72 | | -<p>Sycamore and Willow are our new production CT logs, accepting certificates from trusted CAs.</p> |
| 57 | +<p>Sycamore and Willow are our production CT logs, accepting certificates from trusted CAs.</p> |
73 | 58 | <ul> |
74 | 59 | <li><b>Sycamore</b>: <a href="https://log.sycamore.ct.letsencrypt.org/">log.sycamore.ct.letsencrypt.org</a></li> |
75 | 60 | <li><b>Willow</b>: <a href="https://log.willow.ct.letsencrypt.org/">log.willow.ct.letsencrypt.org</a></li> |
76 | 61 | </ul> |
77 | | -<p>Twig is a test log, accepting certificates from trusted CAs as well as some additional test CAs, including the Let's |
78 | | - Encrypt staging environment.</p> |
| 62 | +<p> |
| 63 | + Twig is a test log, accepting certificates from trusted CAs as well as some additional test CAs, including the Let's |
| 64 | + Encrypt staging environment. |
| 65 | +</p> |
79 | 66 | <ul> |
80 | 67 | <li><b>Twig</b>: <a href="https://log.twig.ct.letsencrypt.org/">log.twig.ct.letsencrypt.org</a></li> |
81 | 68 | </ul> |
82 | 69 |
|
83 | 70 |
|
84 | | -{{< ct_logs data="production" >}} |
85 | | -<li> |
86 | | - Oak is incorporated into the |
87 | | - <a href="https://support.apple.com/en-us/HT209255">Apple</a> and |
88 | | - <a href="https://github.com/chromium/ct-policy/blob/master/ct_policy.md" |
89 | | - >Google</a |
90 | | - > |
91 | | - CT programs. |
92 | | -</li> |
93 | | -<li>Our production ACME API environment submits certificates here.</li> |
94 | | -{{< /ct_logs >}} {{< ct_logs data="testing" >}} |
95 | | -<li> |
96 | | - SCTs from these logs <b>SHOULD NOT</b> be incorporated into publicly trusted |
97 | | - certificates. |
98 | | -</li> |
99 | | -<li> |
100 | | - The Let's Encrypt production and |
101 | | - <a href="/docs/staging-environment">staging</a> ACME API environments both |
102 | | - submit certificates to Sapling, but the production environment does not use |
103 | | - the resulting SCTs. |
104 | | -</li> |
105 | | -<li> |
106 | | - We test new versions of |
107 | | - <a href="http://github.com/google/trillian">Trillian</a> and |
108 | | - <a href="https://github.com/google/certificate-transparency-go" |
109 | | - >certificate-transparency-go</a |
110 | | - > |
111 | | - here before deploying them to production. |
112 | | -</li> |
113 | | -<li> |
114 | | - Sapling's accepted roots list includes all of the Oak accepted roots, plus |
115 | | - additional test roots. |
116 | | -</li> |
117 | | -<li> |
118 | | - Sapling can be used by other certificate authorities for testing purposes. |
119 | | -</li> |
120 | | -{{< /ct_logs >}} |
| 71 | +<h3>RFC 6962 Logs EOL</h3> |
| 72 | +<p> |
| 73 | + Let's Encrypt formerly ran a log based on Trillian, implementing the RFC 6962 API. It is currently available |
| 74 | + read-only, and will be shut down in February 2026. For more information, see the |
| 75 | + <a href="https://letsencrypt.org/2025/08/14/rfc-6962-logs-eol"> |
| 76 | + end of life plan for our RFC 6962 Certificate Transparency logs |
| 77 | + </a>. URLs and log keys can be found in Google and Apple's CT log lists, if required. |
| 78 | + The old production log was called Oak. |
| 79 | +</p> |
| 80 | +<p> |
| 81 | + We also ran test logs called Testflume and Sapling, which are no longer available. |
| 82 | +</p> |
121 | 83 |
|
122 | 84 | <h2>Log Operations</h2> |
123 | 85 | <p> |
|
0 commit comments