Logging cert hashes and checking them against a configurable list and/or CT Certificate Transparency logs would be helpful
Logging cert hashes and checking them against a configurable list and/or CT Certificate Transparency logs would be helpful