Skip to content

monitor certificate fingerprint from different viewpoints

to harden our TLS configuration, we should make sure the certificates visible from different viewpoints on the internet match what we think they should be. this is a followup to issue #41374.

This is different than monitoring the certificate transparency (CT) logs (#40677) but it's complementary. CT is good in that it would allow us to check if a rogue attacker manages to MITM our servers and through that issue a (valid) cert through a CT-compatible CA. But CAs are still not obligated to publish CT logs, so a rogue could use a non-compliant CA to issue a cert. A rogue CA could also omit to publish a cert in CT.

This ticket aims at exploring possible solutions for this.