TesseraCT is a Certificate Transparency (CT) log implementation. It implements static-ct-api using the Tessera library to store data, and is aimed at running production-grade CT logs.
At the moment, TesseraCT can be deployed on GCP and AWS.
TesseraCT is under active development, and will soon reach alpha 🚀.
Each deployment environment requires its own TesseraCT binary and Tessera infrastructure.
This repository contains binary main files for GCP and AWS, together with configuration and instructions to deploy TesseraCT in various environments:
- Test logs are meant to be brought up and turned down quickly for ad-hoc testing from a Virtual Machine.
- Continuous Integration (CI) logs are brought up every merge on the main branch, undergo automated testing, and are then brought down.
- Staging logs are not-yet-ready-for-production, but production-like logs.
| Cloud | Binary | Test log | CI logs | Staging logs |
|---|---|---|---|---|
| GCP | cmd/gcp | VM | Cloud Run | Cloud Run |
| AWS | cmd/aws | VM | Fargate |
TesseraCT is the concatenation of Tessera and CT (Certificate Transparency), which also happens to be a 4-dimensional hypercube.
Tessera is a Go library for building tile-based transparency logs (tlogs) on various deployment backends. TesseraCT is a service using the Tessera library with CT specific settings to implement Certificate Transparency logs complying with static-ct-api. TesseraCT supports a subset of Tessera's backends. A TesseraCT serving stack is composed of:
- one or multiple instances of a TesseraCT binary using the Tessera library
- Tessera's backend infrastructure
- a minor additional storage system for chain issuers
After chatting with various CT log operators, we decided to focus on GCP and AWS to begin with in an effort address current needs of log operators. We're welcoming contributions and requests for additional backend implementations. If you're interested, come and talk to us!
TesseraCT is the successor of Trillian's CTFE. It was built upon its codebase, and introduces these main changes:
- API: TesseraCT implements static-ct-api rather than RFC6962.
- Backend implementation: TesseraCT uses Tessera rather than Trillian. This means that TesseraCT integrates entries faster, is cheaper to maintain, requires running a single binary rather than 3, and does not need additional services for leader election.
- Single tenancy: One TesseraCT instance serves a single CT log, as opposed to the CTFE which could serve multiple logs per instance. To run multiple logs, simply bring up multiple independent TesseraCT stacks. For reliability, each log can still be served by multiple TesseraCT instances.
- Configuration: TesseraCT is fully configured using flags, and does not need a proto config anymore.
- Chain parsing: TesseraCT uses internal/lax509 to
validate certificate chains. It is built on top of Go's standard
crypto/x509 library, with a minimal set of CT
specific enhancements. It does not use the full crypto/x509 fork
that the CTFE was using. This means that TesseraCT can benefit from the good care
and attention given to crypto/x509. As a
result, a very small number of chains do not validate anymore, head over to
internal/lax509's README for additional details.
See CONTRIBUTING.md for details.
This repo is licensed under the Apache 2.0 license, see LICENSE for details.
Are you interested in running a TesseraCT instance? Do you have a feature request? you can find us here: