Certificate Transparency is an approach to improve the security of CAs issuing X.509 certificates by running a public audit-log for all issued certificates. Before a CA issues a certificate, the tbsCertificate structure (which is effectively the whole certificate without the signature) is submitted to a certificate transparency server. Should a CA issue (willingly or due to a compromise) a fraudulent certificate, it is either immediately available in the audit log and can therefore be spotted by an independent third party before it causes damage, or spotting a certificate in the wild that is not included in the audit log is a direct proof that the CA has been compromised.
How to get the hostnames from the log
Since the CT API does not have a single command that returns all the names the CA has issued certificates for, I decided to write a spider by myself in python. The tool is available on github. To download, simply type:
git clone https://github.com/eriktews/certificate-transparency-tools.git cd certificate-transparency-tools mkdir out python download_all_certs.py https://ct1.digicert-ct.com/log out/digicert- find out/ -name "digicert*precert*" | xargs -n 8000 python get_precert_cn.py | sort -u > all-digicert-pre-certificate-names-sorted.txt
The result should be a sorted list of all hostnames (including with wildcards) digicert every issued a certificate for.
So far, no special verification of the data supplied by the digicert server is done. Feel free to submit patches on github to improve this code. Also feel free to play with the data and spot any hostnames in the result that looks suspicious to you.