Certificate transparency
Lean how Validin collects and delivers certificate data.
Certificate Transparency (CT) data provides visibility into publicly logged TLS certificates issued across the internet.
Validin's CT dataset records certificate issuance and reuse to support analysis of domain relationships, certificate lifecycle changes, and shared infrastructure.
Data collection model
Validin collects Certificate Transparency data by continuously monitoring global Certificate Transparency (CT) logs.
Collection is passive and log-based and does not depend on DNS resolution, host availability, or active service measurement.
Certificate records are ingested directly from publicly available CT logs and stored as historical observations.
NoteCertificate Transparency data is independent of host response collection. Certificates may be observed in CT logs even when the associated service is not reachable or not yet deployed.
Coverage scope
Validin monitors global CT logs at scale and maintains long-term historical coverage.
| Attribute | Value |
|---|---|
| Monitoring start | 2020 |
| Certificates observed | ~1.5 billion per month |
| Log coverage | Global CT logs |
| Collection model | Continuous monitoring |
Certificate records include initial issuance, renewal, and replacement events.
Certificate data extracted
Validin extracts and stores structured certificate fields from CT log entries.
| Certificate field | Description |
|---|---|
| Subject | Certificate subject fields |
| Issuer | Certificate authority information |
| SANs | Subject Alternative Name values |
| Validity period | Not before and not after timestamps |
| Serial number | Certificate serial identifier |
| Fingerprints | MD5 and SHA256 certificate hashes |
Each certificate is stored with timestamps to support historical analysis.
Active and passive certificate context
Certificate data is exposed in the platform in two ways:
| Context | Description |
|---|---|
| Active certificates | Certificates observed during host response collection |
| Passive certificates | Certificates indexed directly from CT logs |
This separation allows analysis of certificate issuance independently from observed network services.
NoteA certificate may appear in CT logs before DNS records exist or before a service becomes reachable.
Certificate reuse and correlation
Certificate data supports correlation across domains and infrastructure.
Common analysis patterns include:
- Multiple domains sharing the same certificate
- Reuse of certificates across IP addresses
- Shared SAN values across unrelated domains
- Certificate rotation associated with infrastructure changes
These correlations support identification of related assets and shared operational patterns.
Historical certificate state
Validin maintains historical Certificate Transparency data dating back to 2020.
Historical certificate data includes:
- First seen and last seen timestamps
- Reissuance and renewal events
- Changes to SAN lists
- Issuer changes over time
This allows reconstruction of certificate usage at specific points in time.
Change tracking
Certificate changes are recorded as individual observations over time.
| Change type | Description |
|---|---|
| New issuance | Certificate first observed |
| Reissuance | Certificate renewed or replaced |
| SAN change | Modification to SAN values |
| Issuer change | Change in certificate authority |
Changes can be correlated with DNS and host response data to support infrastructure analysis.
NoteTracking certificate reuse and change patterns supports identification of shared infrastructure and coordinated updates.
Data access in the platform
Certificate Transparency data is exposed as queryable historical data, including:
- Certificate metadata and fingerprints
- SAN-based domain relationships
- Issuer and validity timelines
- Correlation with DNS and host response data
Certificate data is accessed as a historical dataset and does not require live service availability.
Updated 27 days ago