We’re excited to introduce TesseraCT, a new tile-based Certificate Transparency (CT) log implementation built on Tessera. TesseraCT is designed to make it easier and more-cost effective to operate CT logs at scale, while maintaining strong performance and reliability.

At this stage we are releasing the alpha of TesseraCT, ready for early testing and use by others.

What is TesseraCT?

TesseraCT is a CT server that implements the Static CT API. It is built on top of Tessera, our Go library for tile-based transparency logs.

Historically, operating CT logs has been complex and costly, but TesseraCT changes that by providing a modern CT implementation that incorporates lessons learned from operating real-world logs at scale.

Key features

Tile-based architecture and API: Enables efficient reads and writes, following the Static CT API C2SP specification.
Cloud-native & on-prem: Supports AWS, Google Cloud, POSIX filesystems, or vanilla S3/MySQL storage systems.
High uptime: Engineered to offer high availability, as required by user agents. While TesseraCT can run as a single instance, it will also safely run with multiple concurrent instances for higher availability.
Low operational overhead: Fewer moving parts and easier setup than Trillian+CTFE. At its simplest, TesseraCT requires only a single server rather than three, and is simpler to configure.
Future-proof: Designed for the highest level of availability, and to scale easily as certificate lifetimes get shorter and the volume of certificates issued increases.
Fast merging: Entries are integrated into the log within seconds, with the option to wait for submissions to be fully integrated before client requests return.

Where can it run?

TesseraCT can be run on Google Cloud Platform (GCP), Amazon Web Services (AWS), POSIX filesystems, or using vanilla S3+MySQL storage systems. We have tested each of these implementations using various deployment setups, and have confirmed that they are able to handle the current certificate submission rate seen by existing logs, of roughly 300 certificates per second. At the higher end, our staging GCP logs happily accept up to 1.7k QPS, and a local POSIX deployment was tested up to 10k QPS! More details and reproducible performance tests are available in the TesseraCT repo.

We recommend you choose which platform to use with TesseraCT based on your existing production environment:

Tile-Based Logs

Tile-based logs became popular in the CT world due to the caching benefits they provide, making read requests to the log simpler and cheaper to respond to. Even Trillian, used by our existing RFC 6962 CT log implementation, relies on a tiled architecture under the hood. However, TesseraCT directly exposes C2SP compliant tiles through the static CT API.

In contrast to the microservices-based approach of Trillian and the CTFE, TesseraCT offers a fresh architecture with a flexible, and simplified deployment model. This is a transformative step for CT log infrastructure, for existing and new log operators.

TesseraCT builds on the heritage of Trillian+CTFE, and was designed after much discussion with current CT log operators. It is just one of a growing number of CT log implementations that conform to the static CT API specification, including the trailblazing Sunlight, Azul, Itko and CompactLog. Having multiple log implementations provides diversity and resilience, and makes it possible to run static CT API logs on a variety of platforms, resulting in a healthier Certificate Transparency ecosystem overall.

Try out TesseraCT!

We’ve launched the alpha release of TesseraCT so that developers, log operators, and the CT ecosystem can test it as early as possible and provide feedback to be incorporated into future releases.

There are three TesseraCT staging logs available for testing:

arche2025h1 at https://arche2025h1.staging.ct.transparency.dev
arche2025h2 at https://arche2025h2.staging.ct.transparency.dev
arche2026h1 at https://arche2026h1.staging.ct.transparency.dev

CT log operators: Try out the Arche logs, or run your own! See our Getting Started guide and architecture overview for guidance on how. Give TesseraCT a try and help us answer the most important question: does this reduce your pain?

CT monitors: The Arche logs are now available for monitoring. Let us know if you run into any problems querying the logs.

Certificate Authorities: Submit certificates to our Arche logs.

We’re excited to share this milestone and we welcome your feedback. TesseraCT is about making it less painful to operate transparency infrastructure, so try the alpha and tell us what hurts. Let’s make the next generation of transparency logs better, together.

Keep an eye on the TesseraCT repo to follow along, and reach out with any questions or feedback on the transparency.dev slack. We look forward to hearing from you!

What’s Next?

We are continuing to push TesseraCT's development towards the goal of production tile-based CT logs. Future versions of TesseraCT will include additional features such as witnessing and a root update process integrated with CCADB. Check out our roadmap for more information.

Introducing TesseraCT