adamzwasserman
commented
6 years ago Providing the excellent answer I received from Alex Cohn on https://groups.google.com/d/msgid/certificate-transparency/f3e213bb-deaa-429d-987f-be986817c282%40googlegroups.com:
Those are three different certificates (https://crt.sh/?id=509845763, https://crt.sh/?id=509911866, and https://crt.sh/?id=509867989, respectively), issued by Comodo to CloudFlare. Each covers a slightly different set of domains - look at the "X509v3 Subject Alternative Name" extension; they're mostly, but not entirely identical.
CloudFlare acquires certificates covering their customers' domains as part of their Free SSL offering. They combine batches of customer domains onto one certificate; I'm guessing this is to reduce the number of keys they have to distribute to their edge caches. You're seeing them add/remove domains from this certificate; since certificates are immutable, Comodo issues and logs an entirely new certificate every time.
HTH, Alex
p.s. Depending on your use case, I'd recommend against excluding pre-certificates from your search - not all CAs log the final certificate (I believe DigiCert, GoDaddy, and Amazon don't), so you'll miss some final certificates unless a third party finds and submits them.
Fitblip
I am new to cert transparency, and I don't understand something I am seeing:
I get multiple X509LogEntries for a single host (I filtered out PreCerts). (The layout is: hostname source log update type message type authority fingerprint serial number, and I added a timestamp of when I it was read from the certstream)
The host, source, and CA is the same, and the fingerprint and serial number is different.
I would really like to understand what I am looking. I was hoping you could explain it :)
Thx, Adam
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 03:9D:02:34:E8:E7:DF:DC:10:19:24:8A:2C:A9:93:E9:20:71:95:93, 4514A395208FD36ADB8582D9394EE1CE, 2018-06-08 18-27-20
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 06:13:3E:FB:F5:01:5D:BD:02:E9:DC:E2:05:C3:D4:38:64:03:DD:68, D2C3635EFF70175FC53A20F09724CA65, 2018-06-08 18-27-26
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 87:67:E5:37:67:5E:57:1A:5F:B7:C7:C5:4F:92:6F:13:1D:9E:2B:98, DE706E2A682BBB580B63725941E49195, 2018-06-08 18-27-20