How does crt.sh becomes aware of certificates that are in no CT logs?

[Rufus Buschart]

Hi!

I'd like to understand, how crt.sh became aware of crt.sh | 5815024778 ? I highly appreciate this certificate being in crt.sh, but it was never logged to any CT log. As I do have some more similar certificates, I'd love to have them appear at crt.sh I'd like to understand how this one was uploaded.

/Rufus

[r...@sectigo.com]

Hi Rufus.  crt.sh doesn't keep a note of where it found each unlogged certificate, but these are the possibilities I can think of...

Log entries for leaf certs need to also contain the chain of intermediate certs up to an accepted root.  crt.sh creates records for these intermediate certs, even when they don't have dedicated log entries themselves.

https://github.com/crtsh/caissuer_monitor regularly downloads every AIA->caIssuers URL that crt.sh has ever encountered and adds any previously unseen intermediate certificates directly to the database.

https://github.com/crtsh/test_websites_monitor regularly checks each serverAuth CA's valid/expired/revoked test website (URLs obtained from CCADB), and adds any previously unseen certs directly to the database.

https://github.com/crtsh/certwatch_db/blob/master/jobs/update_accepted_roots.sh regularly downloads each log's get-roots endpoint and adds any previously unseen accepted root certs directly to the database.

[Buschart, Rufus]