Relevant Items

Do You Need CT for Non-EV Certificates | BLOG

We have been receiving some questions about Certificate Transparency. The main question is should non-EV SSL/TLS certificates be registered in a CT Log? Through investigation, we have found that some partners and customers have been receiving an email about whitelisting their certificates so they will not get an untrusted warning with Chrome after June 1, 2016. Please note that Google Chrome is the only browser supporting certificate transparency (CT). Google implemented CT starting in 2015 for all EV SSL/TLS certificates. To move this program forward, all EV certificates which were valid at the end of 2014 were whitelisted in Chrome. All EV SSL/TLS certificates issued after 2014 have been published to two or more CT logs. With whitelisting and CT logging, all EV SSL/TLS certificates continue to be EV trusted in Chrome. Google also uses CT logging to monitor certification authorities (CAs) to help ensure they issue certificates to the correct specifications. Many non-EV SSL/TLS certificates have been added to the Google CT logs. Google has also discovered some CA compliance issues and have asked a couple of CAs [1] [2] to CT log all certificates. Logging will allow monitoring and will help ensure these CAs stay compliant. The CT log requirement also accounts for the source of the emails stating that you must whitelist your non-EV SSL/TLS certificates to ensure they are trusted after June 1, 2016. If you are using any Entrust Datacard certificate you do not need to do anything different by June 1, 2016. Entrust Datacard will continue to CT log all EV SSL/TLS certificates. For non-EV SSL/TLS certificates, Entrust Datacard does not have a requirement to log these certificates. As such, existing and new Entrust Datacard SSL/TLS certificates will continue to be trusted in Chrome. Entrust Datacard is also planning to expand CT logging to all non-EV SSL/TLS certificates. We have been careful in our approach to CT. Although we fundamentally support CT, we want to ensure we consider the redaction of domain names. With no name redaction, all certificate contents including the fully qualified domain name will be logged. There have been indications that some customers do not want their server’s host names published as some of these names are considered private. With the continuing development of the Certificate Transparency RFC, name redaction will be considered. Entrust Datacard hopes to continue to deploy CT while giving our customers the option to redact their domain names. Please comment if you have any questions about Certificate Transparency.