The Sunlight logo, a bench under a tree in stylized black ink, cast against a large yellow sun, with the text Sunlight underneath

The Sunlight CT Log

Sunlight is a Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.

Sunlight was designed by Filippo Valsorda for the needs of the WebPKI community, through the feedback of many of its members, and in particular of the Sigsum, Google TrustFabric, and ISRG teams. It is partially based on the Go Checksum Database. Sunlight's development was sponsored by Let's Encrypt.

If you have feedback on the design, please join the conversation on the ct-policy mailing list, or in the #sunlight channel of the transparency-dev Slack.

We have a set of resources for various WebPKI stakeholders. Are you...

... a log operator? You can find the open source Sunlight implementation at github.com/FiloSottile/sunlight and a the original design document, including a description of the Sunlight architecture and tradeoffs, at filippo.io/a-different-CT-log.

... a CT monitor? The Sunlight monitoring API is fully specified at c2sp.org/sunlight, and you can test against the prototype logs below. A Go client library is coming soon.

You might be happy to know that the object storage backends powering the Sunlight monitoring APIs are nearly rate-limit free! We're especially interested in feedback from CT monitors, and we'd be happy to help you get started with Sunlight.

... a certificate authority? You can submit to Sunlight logs like to any other CT log!

You can use the Rome prototype logs for testing. Here are their submission and monitoring prefixes:

https://rome.ct.filippo.io/2024h2/
https://rome2024h2.fly.storage.tigris.dev/

https://rome.ct.filippo.io/2025h1/
https://rome2025h1.fly.storage.tigris.dev/

https://rome.ct.filippo.io/2025h2/
https://rome2025h2.fly.storage.tigris.dev/

Keys and more details are available on the Sunlight instance homepage. Chains are verified against the Chrome Root Store, Let's Encrypt staging roots, and DigiCert test roots. We'd be happy to add more staging or testing roots, email Filippo or open a PR. Certificates without the serverAuth EKU are rejected. There is a rate-limit of 750 chains/s per log. All logs are served by a vastly overkill Hetzner AX42 machine. The storage is backed and sponsored by Tigris. Due to their experimental nature, these logs may occasionally encounter downtime or data loss.

Let's Encrypt also operates a set of Sunlight logs you can start submitting to today. Note that none of these logs are yet trusted by browsers.

... looking for the logo? You can find it here. It's based on a real place in the vicinity of Rome, where the first commit was made. Use it under the terms of the CC BY-ND 4.0 license.