|
Although the poisoned pre-certificates†are logged as a necessary part of offering the least hassle product which is the business Let's Encrypt are in, they, like most CAs, also log the finished certificate shortly after. Here's the pre-certificate for this web site's current certificate: https://crt.sh/?id=23696530376 and here, just a few later in the log, is the finished certificate: https://crt.sh/?id=23696528656 This is good practice, but it's also just easier, because if anything goes wrong, and sometimes things do go wrong, when the trust store says hey, please provide all certificates you issued with these properties, if you've logged them they are right there published in the logs for everybody to see - no bother, no risk - if you haven't then you need your own storage and better hope there aren't any mistakes. I'm sure LE do have their own copies if they needed them, but it sure is nice to know that's not what you're betting on. †Poisoned pre-certificates are a "temporary" hack so that the certificate logging system can be demonstrated. If we ever really wanted this of course we'd develop a proper solution instead, right? Right? Every experienced software engineer knows that "temporary" usually means permanent in practice and so nobody was surprised by how this turned out. |
Happy to see LE publish both, but others do not. Here is an example: https://crt.sh/?id=17293798014
Your won't find final certificate from digicert/globalsign in the CT logs.
Unless the owner publish it himself, API is opened for submission I think for everybody.