Know every certificate ever issued for your domain.
Any certificate authority can issue a certificate for your domain to anyone who passes domain validation — and the only public record is the Certificate Transparency logs. Merlonix reads them continuously and alerts you the moment a certificate you have never seen appears.
How it works
01
Turn it on for a domain
Enable Certificate Transparency monitoring on any monitored asset (Team plan and up). Coverage includes every subdomain of the registrable domain — not just the hostname you monitor.
02
We baseline what exists
The first poll reads the full issuance history for your domain from the public CT logs and records it silently as your known baseline. No alert storm for the certificates you already have.
03
We re-read the logs every ~12 hours
Every certificate authority is required to publish issued certificates to public CT logs. We re-read the full set on a ~12-hour cadence and diff it against your baseline.
04
You get one alert per unknown certificate
A never-before-seen issuance fires a warning naming the issuer, the DNS names it covers, and its validity window — with honest guidance: if you or your provider requested it, no action needed; if not, investigate and consider revocation and your CAA records.
Why watch issuance, not just your endpoint
Catch the cert you never requested
Domain validation is the only bar for issuance. A compromised DNS record, a hijacked subdomain, or a mistake at any of hundreds of CAs can produce a valid certificate for your domain. The only public record that it happened is the CT log — if nobody is reading it, nobody knows.
See shadow certs your endpoint scan can’t
An endpoint-based SSL check only sees the certificate actually served on port 443. A rogue certificate used for phishing on someone else’s infrastructure never touches your server — but it does appear in the CT logs, and that is where we watch.
One alert stream with the rest of your posture
CT alerts land in the same channels and asset detail as your SSL expiry, DNS, DNSSEC, and uptime checks — a new-issuance warning reaches the same person, the same way, as everything else you monitor.
What we promise — and what we don’t
We watch the logs. We don’t judge the certificate.
Merlonix reads the public CT issuance record for your registrable domain (subdomains included) on a ~12-hour cadence, baselines what exists, and fires one warning per never-before-seen issuance with the issuer, covered names, and validity window. A truncated or failed poll is recorded honestly as such and never alerts. We cannot know whether an issuance was authorized — the alert gives you the facts and the standard response playbook; revocation, CAA hardening, and CA-account review live on your side.
Common questions
What is Certificate Transparency monitoring?
Certificate Transparency (CT) is a public, append-only log system that certificate authorities are required to publish every issued certificate into. CT monitoring means continuously reading those logs for your domain and alerting when a certificate appears that you have never seen before — including certificates issued for subdomains, and certificates that are never actually served on your website.
How is this different from normal SSL monitoring?
Endpoint SSL monitoring connects to your server and inspects the certificate it serves — expiry, chain, protocol posture. CT monitoring watches the issuance side: every certificate any CA issues for your domain, whether or not it is ever installed anywhere. A mis-issued or phishing certificate used on attacker infrastructure will never show up in an endpoint check, but it does show up in the CT logs. Merlonix does both.
Will I get an alert storm when I first enable it?
No. The first poll seeds your baseline silently: every certificate that already exists in the logs is recorded as known, with no alerts. From then on, only a genuinely new, never-before-seen issuance fires an alert — one warning per certificate, deduplicated so a re-poll never re-fires the same one.
What should I do when I get a new-certificate alert?
First check whether you, your team, or a provider (CDN, hosting platform, load balancer) requested it — automated renewals from providers like Let’s Encrypt via your CDN are the common benign case, and the alert names the issuer to make that quick. If nobody did, treat it as a possible mis-issuance: investigate the issuing CA, request revocation if unauthorized, and review your CA account security and CAA records.
What are the limits, honestly?
We read up to 500 issuances per poll; if your domain has more than that in one window, the poll is recorded as truncated and deliberately does not alert — we never diff a partial set into false alarms. Polling is on a ~12-hour cadence, so this is an issuance monitor, not a real-time feed. And we observe and alert; we do not revoke certificates or block anything — the response is yours.
Which plans include it?
Certificate Transparency monitoring is available on Team plans and up — see the pricing page for the full per-plan comparison. Endpoint SSL/TLS monitoring is included on every plan, including Free.
The logs are public. Someone should be reading yours.
Turn on Certificate Transparency monitoring and get a warning the moment an unknown certificate is issued for your domain. Start the full-workspace trial — 14 days, no card.