Certificate Transparency

Certificate transparency is a Google initiative. Google Chrome uses Certificate transparency to check if a SSL certificate has been issued legitimately.

How does Certificate Transparency work?

Certificate Transparency (CT) is a system developed by Google that registers issued certificates in a strong secured publicly available log. When visiting a website, Chrome checks these logs to see if the found certificate is the correct one. In the logs is registered by domain name when a certificate has been issued for the domain and by which CA (Certificate Authority). A browser can then refer to this list if one visits a SSL secured page. When the presented certificate has no entry on the Certificate transparency list, the certificate could be forged or false. On this moment the browser will take action. Consequences include displaying an EV SSL certificate without green address bar, giving an error message or block access to a website.

Why use Certificate Transparency?

Browsers use control mechanisms such as CRL and OCSP. Both techniques use the status information from the Certificate Authority. With the introduction of Certificate transparency, browsers are no longer dependent on the information supplied by the CA's. Additionally CRL and OCSP only tell if a certificate is not expired or been revoked in the meantime. Certificate Transparency also has an indication by which CA the certificate should have been issued. This creates an additional guarantee when a root certificate of a CA is abused unnoticed. This won't show in a CRL check, but does so when checked via the Certificate Transparency list.

Planning

Google started in Chrome version 33 with checking for CT, per February 1st 2015 an CT log entry is mandatory for all EV certificates, the absence of the Certificate Transparency data results in a missing EV indicator in the address bar. The goal is to use Certificate Transparency for all type's of certificates from all brands per October 1st 2017. All Certificate Authorities contribute to this initiative and will ensure that certificates they issue are known in the CT list. After this date, a certificate that isn't logged on the CT list will be displayed as untrusted in Chrome. To ensure all parties involved have enough preparation time, Google announced in August 2017 they're moving the deadline and will start requiring Certificate Transparency from April 2018.

How does my certificate get on the CT list?

To register your certificate with the Certificate Transparency log, Certificate Authorities will add the certificate to the secured, append only CT log. There's no action required by the certificate holder or end user, neither is there an additional waiting period before a certificate can be used.

Extra information

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues