Certificate Transparency FAQ

Certificate Transparency (CT) is a Google initiative to log, audit and monitor certificates that CAs have issued. The intent is to create a public log of all SSL certificates. This will allow a domain owner to monitor the log for the issuance of certificates on any domain they own. This could highlight any certificates that have been issued on your domains which you did not request.

From February 2015 Google Chrome will no longer show the Green address bar for EV certificates that do not appear in a public CT log.

Servertastic Green Address Bar

*The following FAQ applies to Geotrust, Thawte and Symantec EV Certificates.

How does CT affect my existing EV SSL Certificates?

For EV certificates that have already been issued by Geotrust, Thawte and Symantec the details for external certificates will automatically be appended to a CT log by December 2014. By the end of 2014 customers who subscribe to an EV certificate will be able to choose if they want to publish the certificate to a CT log during enrolment, replacement or renewal.

What is the difference between external and internal EV certificates?

Some customers issue EV certificates that are only used within private networks and not accessible from the public internet. Any currently issued EV certificate from Geotrust, Thawte or Symantec that is an internal certificate (not accessible from the public internet) will not be automatically published to the public CT logs. Owners of internal EV certificates will receive a separate email asking if they want to opt-in.

All my EV Certificates are publicly accessible. Do I need to do anything?

Geotrust, Thawte and Symantec will automatically publish the details of your EV certificates to a public CT log by the end of December 2014. You do not need to take any action. For other providers you need to refer to their support channels.

Can I opt-out of adding my external EV SSL certificate to the CT log?

No. This will be automatic to ensure continuation of your Green Address Bar. However sometime in the future we will provide customers with the ability to enable or disable publication of the certificate during enrolment, replacement or renewal.

What information appears in the public CT log?

The common name, subject alternative names, organization information, the issuer’s name, serial number, dates, extensions and any intermediate certificates in the chain.

What if I don’t enable Certificate Transparency?

If you do not enable CT on your EV certificates then from February 2015 Google Chrome will no longer display the green address bar.

Can I change my mind after enabling Certificate Transparency?

The CT logs are append only. Therefore once submitted a certificate can not be removed from the log.

Will non EV Certificates be published to the public Certificate Transparency log?

Since June 2016 all certificates purchased from Servertastic will be published to CT logs.

More information about Certificate Transparency: http://www.certificate‐transparency.org/

Related Articles