This repository contains all Root Certificate Authorities from whom Let's Encrypt's Certificate Transparency Logs accept leaf certificates.
Let's Encrypt operates two publicly-accessible Certificate Transparency logs:
- Oak
- Sapling
Oak is a production log, containing only certificates which are trusted by the Mozilla Root Program.
Sapling is a preproduction log, intended for certificates which are not publicly trusted, but which are issued by Certificate Authorities who either issue or are expected to issue publicly trusted certificates. In other words, Sapling is used by trusted Certificate Authorities in their testing infrastructures.
Testflume no longer exists and has been replaced by the Sapling test log.
The Boulder codebase contains a piece of software named ct-test-srv which implements RFC6962 add-chain and add-pre-chain endpoints. This software is sufficient for development and other testing environments. It does not persist data.
Create a New Issue and fill out the provided template. All communication will be performed via responses to your Github Issue. Upon approval, Let's Encrypt staff will create a Pull Request to include your certificates and update our Certificate Transparency logs.
Calling the get-roots endpoint for a Trillian backed log will return a JSON structure containing each root as base64 encoded DER.
Example retrieving all the roots from a CT log and viewing certificate content:
counter=1
for root in $(curl -sL https://oak.ct.letsencrypt.org/2023/ct/v1/get-roots | jq -r '.certificates[]'); do
echo -n "${root}" | base64 -d > /tmp/${counter}.crt
counter=$((counter+1))
done
openssl x509 -inform DER -in /tmp/${counter}.crt -noout -issuer -serial