Skip to main content
Financial Services|Security Engineer / DevOps

TLS & Certificate Transparency Audit

Monitor TLS protocol versions, OCSP revocation, CT logs, and DNS verification records

Certificate misconfiguration breaks customer-facing services and bypasses every trust signal browsers show. An expired cert returns a full-page warning; a rogue CA issues a cert under your brand and surfaces only in CT logs; an OCSP responder you depended on retired and your revocation monitoring went quiet. The CA/B Forum's 2026 schedule (200→100→47-day certs) makes manual oversight untenable. Audit TLS, revocation method, CT issuance, and CAA in one workflow. Start free on EdgeDNS — 200 requests/month, no credit card required.

The Challenge

PCI DSS 4.0 mandates TLS 1.2+ across in-scope systems while CAs are mid-migration off OCSP to CRLs (Let's Encrypt shut OCSP down 2025-08-06). Unauthorized certificates can be issued through compromised ACME accounts or registrar credentials and surface only in CT logs — usually weeks before they're used in an attack. Manual audits across dozens of domains, each with 5–20 DNS TXT verification tokens, don't catch any of this in time.

The Solution

Run TLS-version, revocation-method, CT-log, and CAA checks on a schedule, cross-referencing issuer against published CAA — a CA outside the allowlist is the earliest credential-compromise indicator. Pair with the [Subdomain Takeover guide](/guides/how-to-detect-subdomain-takeover) and the [SSL Certificate Monitoring use case](/use-cases/ssl-certificate-monitoring) for full attack-surface coverage, or use the [TLS Version endpoint](/guides/domain-tls-version) directly. Or ask your AI: *"Audit acme.com's TLS 1.3 support, CT-log issuance, and CAA — flag anything that looks misissued."*

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET
/v1/domain/tls-versionTry in Playground

TLS Version: Verify TLS 1.2+ support and detect deprecated protocols

GET
/v1/domain/ocspTry in Playground

Revocation Status: Per-CA revocation policy (OCSP vs CRL), responder liveness, and Let's Encrypt-style OCSP-deprecation tracking

GET
/v1/domain/ct-logsTry in Playground

CT Logs: Search Certificate Transparency logs for issued certificates and rogue issuance

GET
/v1/dns/txtTry in Playground

DNS TXT Records: Query TXT records for verification tokens, SPF, DKIM, and service integrations

GET
/v1/domain/sslTry in Playground

SSL Certificate: Validate certificate chain, expiry, and issuer details

Results You Can Achieve

5 endpoints in one audit workflow

TLS Version, Revocation Status, CT Logs, SSL, and DNS TXT — covering the four directly-observable pillars of certificate hygiene (protocol, revocation method, issuance, allowlist) per a single domain pass.

CT-log monitoring for unauthorized issuance

Detect rogue certificates issued by unexpected CAs or for unexpected subdomains — typically the earliest signal of credential or DNS-control compromise.

Per-CA OCSP→CRL migration tracking

Identifies which CAs still operate OCSP responders (DigiCert, Sectigo, Google Trust Services) and which retired them (Let's Encrypt, 2025-08-06) so monitors don't fire false alerts on dead responders.

Code Example

Audit TLS and certificate transparency

javascript
const domain = 'example.com';
const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };

const [tls, ocsp, ctLogs, ssl, txt] = await Promise.all([
  fetch(`https://api.edgedns.dev/v1/domain/tls-version?domain=${domain}`, { headers }),
  fetch(`https://api.edgedns.dev/v1/domain/ocsp?domain=${domain}`, { headers }),
  fetch(`https://api.edgedns.dev/v1/domain/ct-logs?domain=${domain}`, { headers }),
  fetch(`https://api.edgedns.dev/v1/domain/ssl?domain=${domain}`, { headers }),
  fetch(`https://api.edgedns.dev/v1/dns/txt?domain=${domain}`, { headers }),
].map(p => p.then(r => r.json())));

console.log('TLS Negotiated:', tls.data.negotiated, '| PQ-hybrid:', tls.data.pqHybrid.supported);
console.log('Revocation:', ocsp.data.expected_method, '| Responder active:', ocsp.data.responder_active);
console.log('CT Log Entries:', ctLogs.data.count, '| Next page:', ctLogs.data.pagination?.next_offset);
console.log('SSL Expiry:', ssl.data.validity?.not_after, '| Lifetime compliant:', ssl.data.lifetime_compliance?.compliant);
console.log('CAA records:', ssl.data.caa?.records?.length ?? 0, '| Issuer authorized:', ssl.data.caa?.issuer_authorized);
console.log('TXT Records:', txt.data.record_count, '| SPF:', txt.data.has_spf);

if (ctLogs.data.count > 0) {
  const recentCerts = ctLogs.data.certificates.slice(0, 5);
  recentCerts.forEach(c => console.log(` - ${c.issuer} @ ${c.timestamp}`));
}

Learn More

Explore industry standards and best practices related to this use case.

NIST SP 800-52r2: TLS Implementation Guidelines

NIST guidelines for selecting, configuring, and using TLS protocol implementations in federal systems

RFC 6962 - Certificate Transparency

IETF experimental specification for Certificate Transparency logging of TLS certificates

PCI DSS v4.0.1

Payment Card Industry Data Security Standard requiring strong cryptography for cardholder data transmission

Ready to build TLS & Certificate Transparency Audit?

Get started with 200 free API requests per month. No credit card required.

Get Started FreeTry the Playground

Other Use Cases

Email Marketing / DevOps

Email Deliverability Monitoring

Improve inbox placement with proactive email authentication monitoring

Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001