Certificate Transparency is mandatory as of April 2018
As of February 1, 2018, DigiCert will submit all newly issued SSL certificates to Certificate Transparency (CT) logs as a default.
Clint Wilson, DigiCert’s Technical Product Manager, detailed the decision in a blog post:
In the interest of improving our customer’s security and encouraging adoption, we are making this change ahead of Google’s industry-wide requirement that goes into effect in April 2018. CT logging has only been required for EV certificates since 2015.
This change will happen automatically on February 1st. Your publicly trusted DigiCert SSL Certificates issued on or after that date will include pieces of data called “SCTs”—Signed Certificate Timestamps. These are embedded directly into the certificate and tell client software, like web browsers, that the certificate has been logged. When Google Chrome begins enforcing CT compliance in April, your certificates will already be compatible. You don’t need to do anything unless you don’t want your certificates logged.
This move will only affect DigiCert certificates. The Symantec brand (Symantec, RapidSSL, GeoTrust & Thawte), which DigiCert acquired last Fall, is already required to log all new certificates as part of an agreement with Google.
What is Certificate Transparency?
If you’re looking for a detailed explanation of Certificate Transparency, Vince (who ironically now works for DigiCert) wrote an excellent article about it last year.
But, if you’re only looking for the abridged version, Certificate Transparency is a logging mechanism that helps strengthen PKI by adding a layer of transparency and helping to better spot mis-issuance. The idea is this, starting in March 2018 every Certificate Authority will be required to log every publicly-trusted SSL certificate that’s issued. The certificates will be recorded in public databases (logs) where certificates can easily be searched and monitored.
This, in turn, allows website owners to see a comprehensive list of certificates issued for their domain, which in turn provides better oversight over the activities of CAs.
What Happens if my Certificate isn’t Logged?
Starting in April 2018, all newly-issued certificates will be required to be logged. If your certificate was issued before April 2018, there will be no penalty. However, if your certificate is issued after the deadline and doesn’t appear in CT logs, it will be treated the same as a self-signed or expired certificate. That is, it will receive browser warnings.