The Sunlight logo, a bench under a tree in stylized black ink, cast against a large yellow sun, with the text Sunlight underneath

The Sunlight CT Log

Sunlight is a Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.

Sunlight was designed by Filippo Valsorda for the needs of the WebPKI community, through the feedback of many of its members, and in particular of the Sigsum, Google TrustFabric, and ISRG teams. It is partially based on the Go Checksum Database. Sunlight's development was sponsored by Let's Encrypt.

If you have feedback on the design, please join the conversation on the ct-policy mailing list, or in the #sunlight channel of the transparency-dev Slack.

We have a set of resources for various WebPKI stakeholders. Are you...

... a log operator? You can find the open source Sunlight implementation at github.com/FiloSottile/sunlight and a the original design document, including a description of the Sunlight architecture and tradeoffs, at filippo.io/a-different-CT-log.

... a CT monitor? The Sunlight monitoring API is fully specified at c2sp.org/sunlight, and you can test against the prototype logs below. A Go client library is coming soon.

You might be happy to know that the object storage backends powering the Sunlight monitoring APIs are nearly rate-limit free! We're especially interested in feedback from CT monitors, and we'd be happy to help you get started with Sunlight.

... a certificate authority? You can submit to Sunlight logs like to any other CT log!

You can use the Rome prototype logs for testing. These logs are automatically deployed from the latest development tree. Here are their submission and monitoring prefixes:

https://rome.ct.filippo.io/2024h1/
https://rome2024h1.fly.storage.tigris.dev/

https://rome.ct.filippo.io/2024h2/
https://rome2024h2.fly.storage.tigris.dev/

https://rome.ct.filippo.io/2025h1/
https://rome2025h1.fly.storage.tigris.dev/

Details

Chains are verified against the Chrome Root Store, Let's Encrypt staging roots, and DigiCert test roots. We'd be happy to add more staging or testing roots, email Filippo or open a PR. Certificates without the serverAuth EKU are rejected. There is a rate-limit of 750 chains/s per log. All logs are served by a Fly.io app running on a single shared-4x-cpu@1024MB machine. The logs are backed and sponsored by Tigris. Due to their experimental nature, these logs may occasionally encounter downtime or data loss.

Public keys

rome2024h1 

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAXM8Ld9qn64g1zVFDh5FtgxS3zj5
sqQDwYMs3wrBV3MCBiFhK/iRLxdKF4YsAcJaEglMlu4Lewvzxs0xO2uwEw==
-----END PUBLIC KEY-----

rome2024h2 

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1MYng3cgeXHN7zp/0ojI84whzyx5
2SrZwcT//CQpAtJgi5f0ygRyzkKJQn7Bi5zH0S/97U/Ty3l9Iz6YsaBsXQ==
-----END PUBLIC KEY-----

rome2025h1 

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhRM/8nIUSHy/fSlrn+939y43zBvA
9cCZZj58A7JmPA7s4stWNUdB3juei6HQ7E4t+zDiPRiTfSYTrl2bkFulgw==
-----END PUBLIC KEY-----

Example URLs 
https://rome.ct.filippo.io/2024h1/ct/v1/add-chain
https://rome.ct.filippo.io/2024h1/ct/v1/add-pre-chain
https://rome.ct.filippo.io/2024h1/ct/v1/get-roots
https://rome2024h1.fly.storage.tigris.dev/checkpoint 
https://rome2024h1.fly.storage.tigris.dev/tile/8/0/000 
https://rome2024h1.fly.storage.tigris.dev/tile/8/data/000 
https://rome2024h1.fly.storage.tigris.dev/issuers.pem

Let's Encrypt also operates a set of Sunlight logs you can start submitting to today. Note that none of these logs are yet trusted by browsers.

... looking for the logo? You can find it here. It's based on a real place in the vicinity of Rome, where the first commit was made. Use it under the terms of the CC BY-ND 4.0 license.