Certificate Transparency (CT) Logs

Certificate Transparency (CT) is a system for logging and monitoring the issuance of TLS certificates. CT greatly enhances everyone's ability to monitor and study certificate issuance, and these capabilities have led to numerous improvements to the CA ecosystem and Web security. As a result, CT is rapidly becoming critical infrastructure.

Let's Encrypt submits all certificates we issue to CT logs. We also operate two annually sharded CT logs named Oak and Sapling. All publicly trusted certificate authorities are welcome to submit to our logs. Many certificate authority root certificates have already been included in our CT logs. If you operate a Certificate Authority and your issuer is not in our accepted issuers list, please file an issue here.

Sign up for notifications in the CT announcements category of our community forum to see major announcements about our CT logs.

Funding

If your organization would like to help us continue this work, please consider sponsoring or donating.

Architecture

Check out our blog to see How Let's Encrypt Runs CT Logs!

Log Monitoring

Let's Encrypt has created an open-source CT log monitoring tool called CT Woodpecker. We use this tool to monitor the stability and compliance of our own logs, and we hope others will find it to be useful as well.

CT Logs

Information about the various lifecycle states that a CT log progresses through can be found here.

Production

• Oak is incorporated into the Apple and Google CT programs.
• Our production ACME API environment submits certificates here.
• • Name: Oak 2019
    URI: https://oak.ct.letsencrypt.org/2019
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFkqNKRuZ+Z8IOsnNJrUZ8gwp+KKGOdQrJ/HKhSadK/SJuoCc9+dxQ7awpmWIMr9SKcQeG5uRzG1kVSyFN4Wfcw==
    Log ID: 65:9B:33:50:F4:3B:12:CC:5E:A5:AB:4E:C7:65:D3:FD:E6:C8:82:43:77:77:78:E7:20:03:F9:EB:2B:8C:31:29
    Window Start: 2019-01-01T00:00Z
    Window End: 2020-01-07T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2020
    URI: https://oak.ct.letsencrypt.org/2020
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfzb42Zdr/h7hgqgDCo1vrNJqGqbcUvJGJEER9DDqp19W/wFSB0l166hD+U5cAXchpH8ZkBNUuvOHS0OnJ4oJrQ==
    Log ID: E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
    Window Start: 2020-01-01T00:00Z
    Window End: 2021-01-07T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2021
    URI: https://oak.ct.letsencrypt.org/2021
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELsYzGMNwo8rBIlaklBIdmD2Ofn6HkfrjK0Ukz1uOIUC6Lm0jTITCXhoIdjs7JkyXnwuwYiJYiH7sE1YeKu8k9w==
    Log ID: 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
    Window Start: 2021-01-01T00:00Z
    Window End: 2022-01-07T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2022
    URI: https://oak.ct.letsencrypt.org/2022
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhjyxDVIjWt5u9sB/o2S8rcGJ2pdZTGA8+IpXhI/tvKBjElGE5r3de4yAfeOPhqTqqc+o7vPgXnDgu/a9/B+RLg==
    Log ID: DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
    Window Start: 2022-01-01T00:00Z
    Window End: 2023-01-07T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2023
    URI: https://oak.ct.letsencrypt.org/2023
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz0OeL7jrVxEXJu+o4QWQYLKyokXHiPOOKVUL3/TNFFquVzDSer7kZ3gijxzBp98ZTgRgMSaWgCmZ8OD74mFUQ==
    Log ID: B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
    Window Start: 2023-01-01T00:00Z
    Window End: 2024-01-07T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2024h1
    URI: https://oak.ct.letsencrypt.org/2024h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVkPXfnvUcre6qVG9NpO36bWSD+pet0Wjkv3JpTyArBog7yUvuOEg96g6LgeN5uuk4n0kY59Gv5RzUo2Wrqkm/Q==
    Log ID: 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
    Window Start: 2023-12-20T00:00Z
    Window End: 2024-07-20T00:00Z
    State: Rejected - Shard Expired
  • Name: Oak 2024h2
    URI: https://oak.ct.letsencrypt.org/2024h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE13PWU0fp88nVfBbC1o9wZfryUTapE4Av7fmU01qL6E8zz8PTidRfWmaJuiAfccvKu5+f81wtHqOBWa+Ss20waA==
    Log ID: 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
    Window Start: 2024-06-20T00:00Z
    Window End: 2025-01-20T00:00Z
    State: Usable
  • Name: Oak 2025h1
    URI: https://oak.ct.letsencrypt.org/2025h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKeBpU9ejnCaIZeX39EsdF5vDvf8ELTHdLPxikl4y4EiROIQfS4ercpnMHfh8+TxYVFs3ELGr2IP7hPGVPy4vHA==
    Log ID: A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
    Window Start: 2024-12-20T00:00Z
    Window End: 2025-07-20T00:00Z
    State: Usable
  • Name: Oak 2025h2
    URI: https://oak.ct.letsencrypt.org/2025h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtXYwB63GyNLkS9L1vqKNnP10+jrW+lldthxg090fY4eG40Xg1RvANWqrJ5GVydc9u8H3cYZp9LNfkAmqrr2NqQ==
    Log ID: 0D:E1:F2:30:2B:D3:0D:C1:40:62:12:09:EA:55:2E:FC:47:74:7C:B1:D7:E9:30:EF:0E:42:1E:B4:7E:4E:AA:34
    Window Start: 2025-06-20T00:00Z
    Window End: 2026-01-20T00:00Z
    State: Usable
  • Name: Oak 2026h1
    URI: https://oak.ct.letsencrypt.org/2026h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmdRhcCL6d5MNs8eAliJRvyV5sQFC6UF7iwzHsmVaifT64gJG1IrHzBAHESdFSJAjQN56TYky+9cK616MovH2SQ==
    Log ID: 19:86:D4:C7:28:AA:6F:FE:BA:03:6F:78:2A:4D:01:91:AA:CE:2D:72:31:0F:AE:CE:5D:70:41:2D:25:4C:C7:D4
    Window Start: 2025-12-20T00:00Z
    Window End: 2026-07-20T00:00Z
    State: Usable
  • Name: Oak 2026h2
    URI: https://oak.ct.letsencrypt.org/2026h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEanCds5bj7IU2lcNPnIvZfMnVkSmu69aH3AS8O/Y0D/bbCPdSqYjvuz9Z1tT29PxcqYxf+w1g5CwPFuwqsm3rFQ==
    Log ID: AC:AB:30:70:6C:EB:EC:84:31:F4:13:D2:F4:91:5F:11:1E:42:24:43:B1:F2:A6:8C:4F:3C:2B:3B:A7:1E:02:C3
    Window Start: 2026-06-20T00:00Z
    Window End: 2027-01-20T00:00Z
    State: Usable

Testing

• SCTs from these logs SHOULD NOT be incorporated into publicly trusted certificates.
• The Let's Encrypt production and staging ACME API environments both submit certificates to Sapling, but the production environment does not use the resulting SCTs.
• We test new versions of Trillian and certificate-transparency-go here before deploying them to production.
• Sapling's accepted roots list includes all of the Oak accepted roots, plus additional test roots.
• Sapling can be used by other certificate authorities for testing purposes.
• • Name: Sapling 2022h2
    URI: https://sapling.ct.letsencrypt.org/2022h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6m0gtMM2pcVTxVjkztm/ByNrF32xacdVnbsYwlzwtqN0vOwqcXLtPkfYqH+q93hlJwEBsX1MnRXDdlMHkkmZJg==
    Log ID: 23:2D:41:A4:CD:AC:87:CE:D9:F9:43:F4:68:C2:82:09:5A:E0:9D:30:D6:2E:2F:A6:5D:DC:3B:91:9C:2E:46:8F
    Window Start: 2022-06-15T00:00Z
    Window End: 2023-01-15T00:00Z
    
  • Name: Sapling 2023h1
    URI: https://sapling.ct.letsencrypt.org/2023h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE09jAcGbw5CDCK2Kg0kkmmDydfDfZAA8K64BufU37yx3Jcy/ePy1EjAi2wUPVJ0xsaNMCU37mh+fBV3+K/cSG8A==
    Log ID: C1:83:24:0B:F1:A4:50:C7:6F:BB:00:72:69:DC:AC:3B:E2:2A:48:05:D4:db:E0:49:66:C3:C8:ab:C4:47:B0:0C
    Window Start: 2022-12-15T00:00Z
    Window End: 2023-07-15T00:00Z
    
  • Name: Sapling 2023h2
    URI: https://sapling.ct.letsencrypt.org/2023h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbdCykRsTPRgfjKVQvINRLJk3gy+2qNKOU48bo/sWO0ko75S92C+PBDxsqMEd0YpCYYLogCt2LAK/U4H7UwHsjA==
    Log ID: ED:AB:9D:1D:DD:83:73:95:9F:F5:2A:88:E4:6B:B4:BC:C3:C4:CC:4D:76:8A:60:CC:FF:4E:36:2D:7F:B8:D6:68
    Window Start: 2023-06-15T00:00Z
    Window End: 2024-01-15T00:00Z
    
  • Name: Sapling 2024h1
    URI: https://sapling.ct.letsencrypt.org/2024h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Yn4OKJQuwEwo1/BeVBh1NYkQBnS8sYmMfQr/VdXOGqPcbwcpw0TtjJBYmn8FA+ZT7hnt7OfF4RTjLNW3bWOkw==
    Log ID: AA:6C:B0:C5:C9:F4:C4:9D:8D:8E:A9:0C:39:17:E0:D7:0A:D9:22:10:BF:05:7F:41:50:93:82:CC:35:0C:98:46
    Window Start: 2023-12-15T00:00Z
    Window End: 2024-07-15T00:00Z
    
  • Name: Sapling 2024h2
    URI: https://sapling.ct.letsencrypt.org/2024h2
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWipy8ZdRGs2Y5tBb8h8c4UUREnT/YMbm+FEUQBBScf85txhGRHNN/sNN0L/KDiGu/GsrOBCkDruDfHkD42eZXQ==
    Log ID: 85:1B:AE:8E:EE:33:C1:B9:87:3F:C4:9C:7A:7C:27:65:66:3B:6B:80:63:03:04:0A:EC:A6:C1:11:A5:AB:E9:D7
    Window Start: 2024-06-15T00:00Z
    Window End: 2025-01-15T00:00Z
    
  • Name: Sapling 2025h1
    URI: https://sapling.ct.letsencrypt.org/2025h1
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0orejUR5RSyoqJ0Hyu2gAwO6d9OPGtKgqQwdBMNGkKY1Bms1vzrHaUD5LDEvjB7Ug/ThaXz9eQH03w3jFii0uw==
    Log ID: 21:E5:1A:44:D8:B9:E7:54:0E:A7:FB:E0:BA:D7:77:36:15:60:66:84:D1:5A:EB:33:E6:45:B4:E9:55:F3:88:83
    Window Start: 2024-12-15T00:00Z
    Window End: 2025-07-15T00:00Z
    

Sunlight

• Let's Encrypt is testing running logs based on Sunlight.
• SCTs from these logs SHOULD NOT be incorporated into publicly trusted certificates.
• Twig will stay as a test log, and accepts the same CAs as Sapling.
• Willow and Sycamore accept the same as Oak, and are anticipated to become production logs.
• • Name: Twig 2025h1b
    URI: https://twig.ct.letsencrypt.org/2025h1b
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/d6uF9Yw5/3Lo4nJIdWqY0D9H/v/J/WHWqgl8gmTa6AKiBo5CFddHwlU3wj+pgaQm2OhzV2MnXZCOpbLxyk8LA==
    Log ID: lZC9hfLPxQZJmKurW7JsLnoXZwKRHBO2i0gF4euUJ+8=
    Window Start: 2024-12-17T00:00Z
    Window End: 2025-06-17T00:00Z
    
  • Name: Twig 2025h2b
    URI: https://twig.ct.letsencrypt.org/2025h2b
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1WZDmBaw9OoQTk8Yf/IvYkXPw6R6A+uBwHf1L4OrI4gsf/g5s9qtFEF6/NhG3R0+nxfha3apbUjdtNWln9yvkg==
    Log ID: wF0gVDhcss+yF5INLw3Hg1JhR7GqT++Xynjh8LuE/O0=
    Window Start: 2025-06-17T00:00Z
    Window End: 2025-12-16T00:00Z
    
  • Name: Sycamore 2025h1b
    URI: https://sycamore.ct.letsencrypt.org/2025h1b
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELnRI9kk9Ahd4T2qNIrqLPvf5lO44NBYwD9lwoV9MqerizPLRDEjzLw2GXa7MonZEXhcMABNHgViY6kb1LeBDJg==
    Log ID: TgJ3oMtvarf2feceaghbLRgMKXeCS/tMK72dLNQR874=
    Window Start: 2024-12-18T00:00Z
    Window End: 2025-06-18T00:00Z
    
  • Name: Sycamore 2025h2b
    URI: https://sycamore.ct.letsencrypt.org/2025h2b
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEocuurm/JTMcynwKIeUHntdBm8OuLHcK6HgWD5wkE6JCcsPx1i1jAnULV8TSrzdzb8YSIx+VgFp+/YmqGUMHE5w==
    Log ID: 94/yCGmtl2pDc7SsqLOyAxSOFO3mi+FBU1uhNot7qAY=
    Window Start: 2025-06-18T00:00Z
    Window End: 2025-12-17T00:00Z
    
  • Name: Willow 2025h1b
    URI: https://willow.ct.letsencrypt.org/2025h1b
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbNmWXyYsF2pohGOAiNELea6UL4/XioI3w6ChE5Udlos0HUqM7KOHIP9qBuWCVs6VAdtDXrvanmxKq52Whh2+2w==
    Log ID: IX7IijpQPODOtMQx74xNVMHVjB9SuiP0KekrE2jAgWE=
    Window Start: 2024-12-19T00:00Z
    Window End: 2025-06-19T00:00Z
    
  • Name: Willow 2025h2c
    URI: https://willow.ct.letsencrypt.org/2025h2c
    Public Key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaUvzqBm/C9pNUsVI1jqpms5OkW3Kk+Eb3/veW6P3ogOItkqqEvkZfU7zBbsvm1j1Ep003iNUGFOrilPl5TpCRg==
    Log ID: kqECxXwi2rGMzCrnH9TMWcBdJR2hbHPiKBvT8LBImIc=
    Window Start: 2025-06-19T00:00Z
    Window End: 2025-12-18T00:00Z
    

Log Operations

To enumerate the included roots for a particular CT log, you can run the following command in the terminal of your choice:

$ for i in $(curl -s https://oak.ct.letsencrypt.org/2020/ct/v1/get-roots | jq -r '.certificates[]'); do
    echo '------'; base64 -d <<< "${i}" | openssl x509 -inform der -noout -issuer -serial
done

Submitting certificates to a CT log is typically handled by certificate authorities. If you'd like to experiment with this, begin by retrieving an arbitrary PEM encoded certificate from our favorite website. Copy and paste the following block into your terminal.

$ echo | \
openssl s_client \
    -connect "letsencrypt.org":443 \
    -servername "letsencrypt.org" \
    -verify_hostname "letsencrypt.org" 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.crt

Before a certificate can be submitted, it must be JSON encoded within a special structure. You can use the JSON generator provided by https://crt.sh/gen-add-chain to perform this task. The crt.sh utility will return a JSON bundle. Download the bundle to your computer, rename the file if you must, and issue the following command to perform the add-chain operation (RFC 6962 section 4.1) to submit the certificate to a CT log. The output will contain a signature which is in fact an SCT. More on the signature in a moment.

$ curl \
    -X POST \
   --data @example-json-bundle.json \
    -H "Content-Type: application/json" \
    -H "User-Agent: lets-encrypt-ct-log-example-1.0" \
   https://oak.ct.letsencrypt.org/2020/ct/v1/add-chain
{"sct_version":0,"id":"5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=","timestamp":1576689972016,"extensions":"","signature":"BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E"}

To confirm that the CT log was signed by the Oak 2020 shard, we use the id field from the command above and run it through the following command. The result of this will output the Log ID of the CT log.

$ base64 -d <<< "5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4=" | xxd -p -c 64 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]'
E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E

Using the signature field, we can verify that the certificate was submitted to a log. Using our SCT deep dive guide, you could further decode this value.

$ base64 -d <<< "BAMARzBFAiEA4OmuTcft9Jq3XLtcdZz9XinXCvYEY1RdSQICXayMJ+0CIHuujkKBLmQz5Cl/VG6C354cP9gxW0dfgMWB+A2yHi+E" | xxd -p -c 16 | sed -e 's/../&:/g' -e 's/:$//' | tr '[:lower:]' '[:upper:]'
04:03:00:47:30:45:02:21:00:E0:E9:AE:4D:C7:ED:F4
9A:B7:5C:BB:5C:75:9C:FD:5E:29:D7:0A:F6:04:63:54
5D:49:02:02:5D:AC:8C:27:ED:02:20:7B:AE:8E:42:81
2E:64:33:E4:29:7F:54:6E:82:DF:9E:1C:3F:D8:31:5B
47:5F:80:C5:81:F8:0D:B2:1E:2F:84