Indeed, a CT monitor which sends alerts about legitimate certificates is almost ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		agwa on Oct 20, 2023 \| parent \| context \| favorite \| on: Encrypted traffic interception on Hetzner and Lino... Indeed, a CT monitor which sends alerts about legitimate certificates is almost useless due to noise. My service, Cert Spotter, provides an API endpoint[1] which you can upload your CSRs to, so you don't get alerted about certificates using the same key as the CSR. The open source version of Cert Spotter can invoke a script[2] when a certificate is discovered, and the script can cross reference against a list of legitimate certs. [1] https://sslmate.com/help/reference/certspotter_authorization... [2] https://github.com/SSLMate/certspotter/blob/master/man/certs...

tehlike on Oct 21, 2023 [–]

Could it check against public key for the certificate?

agwa on Oct 21, 2023 | [–]

Yes, the script can consult the $PUBKEY_SHA256 environment variable to get the hash of the certificate's public key.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact