The Internet ecosystem has been working towards Chrome’s requirement for certificate transparency (CT) for all SSL/TLS certificates in April 2018. CT logs have been created. CT monitoring tools have been developed. Certification authorities (CAs) have integrated processes to allow certificates to be CT logged.

The question has been, what is the exact date we are working towards?

The CA Common Database announced to CA operators, “Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy.” This means SSL/TLS certificates must be CT qualified by meeting one of the following criteria:

  1. A signed certificate timestamp (SCT) from a log qualified at the time of check is presented via the TLS extension OR is embedded within a stapled OCSP response, where there is at least one SCT from a Google Log, qualified at the time of check and at least one SCT from a non-Google Log, qualified at time of check.
  2. An embedded SCT from a log qualified at the time of check is presented, where there is at least one embedded SCT from a Google Log, at least one Embedded SCT from a non-Google Log and there are the minimum number of embedded SCTs.

Minimum number of embedded SCTs are:

  • Certificate validity of less than 15 months, minimum embedded SCTs is 2
  • Certificate validity greater than 15 months, but less than or equal to 27 months, minimum embedded SCTs is 3
  • Certificate validity greater than 27 months, but less than or equal to 39 months, minimum embedded SCTs is 4
  • Certificate validity greater than 39 months, minimum embedded SCTs is 5

As of April 1, 2018, CAs can only issue SSL/TLS certificates with a maximum validity period of 825-days (~27 months). In most cases, we will see CAs issuing the maximum validity period of 27 months, which will require 3 embedded SCTs.

With the validity period reduced from 39-months to 825-days, all SSL/TLS certificates trusted by Chrome will be CT logged within three years. This means full certificate coverage enabling domain owners to discover fraudulent certificates by monitoring the CT logs. It also means domain owners can determine all certificates that support their domains and put them under management. Entrust Datacard supports CT Search, CT certificate import and CT monitoring. 

 

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.