Certificate Transparency is now mandatory as of April 30, 2018
Today is the first day that Google is requiring all Certificate Authorities to log the SSL certificates they issue in certificate transparency logs. Failure to do so will result in a browser warning that tells users your website’s certificate isn’t CT compliant.
Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy. After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant. Sub-resources served over https connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools.
The other browsers have already committed to follow suit, but given Chrome’s marketshare (at around 60% of internet users), Google’s decision to move forward with CT on its own would have made it a de facto mandate.
What is Certificate Transparency?
Certificate Transparency is a mechanism for logging the digital certificates issued by CAs to better protect against mis-issuance and assist with revocation. Vince wrote a complete post about it a couple of years ago, but here’s the gyst:
Certificate Transparency (CT) is a mechanism which helps domain owners and industry watch dogs detect misissuance. It is a publically-available log of certificates that have been issued. This log lists all the certificate’s information so that it can be inspected by anyone with an interest. In practice there are multiple logs, which is needed due to the scale of the SSL ecosystem – millions of certificates are issued each year. Each log has to follow defined standards on what and how it stores the certificates.
The, coupled with the requirement for CAA records, which restrict which CAs can issue for which domains, should represent a bold step forward towards a more secure internet, CT logs place a greater accountability on CAs and help watch dogs find problems before they snowball into something larger.
Google has been pushing for Certificate Transparency for quite some time. At first it was voluntary, with CAs only compelled to participate after they had made mistakes with mis-issuance. Symantec famously agreed to log its certificates as a result of mis-issuances. But before now, outside of EV certificates and voluntary participation CT wasn’t an industry standard. Google has been working to change that for a while, even delaying the deadline last year to give CAs more time.
Time’s up now though. Logging certificates is now a requirement for all CAs.
What do I need to do to prepare for Certificate Transparency?
Unless you’re running a Certificate Authority, nothing. This is an industry change that only affects the party issuing the certificate, so if you’re just reselling you have nothing to worry about. The same goes for end users. Additionally, your SSL certificate isn’t going to break if it was issued before April 30, 2018 and wasn’t logged. The change isn’t retroactive.
But going forward, CAs must log all SSL certificates in a Certificate Transparency log, lest they receive browser warnings.