ctlogconfig - Certificate Transparency log configuration tool

Synopsis ¶

ctlogconfig /path/to/db dump

ctlogconfig /path/to/db configure-public-key [ log-id|record-id ] /path/to/public-key.pem

ctlogconfig /path/to/db configure-url [ log-id|record-id ] log-URL

ctlogconfig /path/to/db valid-time-range log-id|record-id min-timestamp max-timestamp

ctlogconfig /path/to/db trust log-id|record-id

ctlogconfig /path/to/db distrust log-id|record-id

ctlogconfig /path/to/db forget log-id|record-id

log-id

This is the id of the log, which is the SHA-256 hash of the log's public key, provided in hexadecimal format. This string is 64 characters in length.

record-id

This is the record number in the database, as displayed by the dump sub-command, prefixed with #. As an example, #4 references the fourth record in the database. (Use shell escaping as necessary.)

/path/to/public-key.pem

This is a file containing the log's public key in PEM format. The public key is not stored in the database. Instead, a reference to the file is stored. Thus, the file cannot be removed until the public key in the database is removed or changed.

min-timestamp, max-timestamp

A timestamp is a time as expressed in the number of milliseconds since the epoch, ignoring leap seconds. This is the form of time used in Signed Certificate Timestamps. This must be provided as a decimal number.
Specify - for one of the timestamps if it is unknown. For example, when configuring the minimum valid timestamp for a log which remains valid, specify - for max-timestamp.
SCTs received from this log by the proxy are invalid if the timestamp is older than min-timestamp or newer than max-timestamp.

Sub-commands ¶

dump

Display configuration database contents. The record id shown in the output of this sub-command can be used to identify the affected record in other sub-commands.

configure-public-key

Add a log's public key to the database or set the public key for an existing entry. The log's public key is needed to validate the signature of SCTs received by a proxy from a backend server. (The database will be created if it does not yet exist.)

configure-url

Add a log's URL to the database or set the URL for an existing entry. The log's URL is used when submitting server certificates to logs in order to obtain SCTs to send to clients. (The database will be created if it does not yet exist.)

valid-time-range

Set the minimum valid time and/or the maximum valid time for a log. SCTs from the log with timestamps outside of the valid range will not be accepted. Use - for a time that is not being configured. (The database will be created if it does not yet exist.)

trust

Mark a log as trusted, which is the default setting. This sub-command is used to reverse a distrust setting. (The database will be created if it does not yet exist.)

distrust

Mark a log as distrusted. (The database will be created if it does not yet exist.)

forget

Remove information about a log from the database.

Examples ¶

Consider an Apache httpd instance which serves as a TLS server and a proxy. The TLS server needs to obtain SCTs from a couple of known logs in order to pass those to clients, and the proxy needs to be able to validate the signature of SCTs received from backend servers.

First we'll configure the URLs for logs where server certificates are logged:

Next we'll set the public key of a log where the certificate of our only backend server is published. In this case it is the log with URL http://log2.example.com/ which has already been configured.