The Internet ecosystem has been working towards Chrome’s requirement for certificate transparency (CT) for all SSL/TLS certificates in April 2018. CT logs have been created. CT monitoring tools have been developed. Certification authorities (CAs) have integrated processes to allow certificates to be CT logged.
The question has been, what is the exact date we are working towards?
The CA Common Database announced to CA operators, “Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy.” This means SSL/TLS certificates must be CT qualified by meeting one of the following criteria:
Minimum number of embedded SCTs are:
As of April 1, 2018, CAs can only issue SSL/TLS certificates with a maximum validity period of 825-days (~27 months). In most cases, we will see CAs issuing the maximum validity period of 27 months, which will require 3 embedded SCTs.
With the validity period reduced from 39-months to 825-days, all SSL/TLS certificates trusted by Chrome will be CT logged within three years. This means full certificate coverage enabling domain owners to discover fraudulent certificates by monitoring the CT logs. It also means domain owners can determine all certificates that support their domains and put them under management. Entrust Datacard supports CT Search, CT certificate import and CT monitoring.