Skip to main content

Moving Forward with Certificate Transparency

Dec

18

2014

Time to read

Read so far

Written by: 

Bruce Morton

Time to read

Written by: 

As we move in 2015, you will start to see Certificate Transparency deployed on EV SSL certificates.

Google has required that as of January 2015, all EV SSL certificates be publicly logged to retain their EV status. All current EV SSL certificates will be white listed for the Chrome browser.

Google Chrome will be the only browser supporting Certificate Transparency. If your certificate has been logged you will see that the identity is “publicly auditable” and “transparency information” will be provided.

Certificate transparency

 

When you select “transparency information”, you will see time-stamps from each log.

Signed Certificate Timestamps Viewer

 

Most certification authorities (CAs) will not support certificate transparency for non-EV certificates, so you will still see legitimate SSL certificates where Chrome will state “does not have public records.” If certificate transparency is successful, it will likely be extended to all SSL certificates.

With certificate transparency, the logs can be monitored which will indicate all EV SSL certificates which have been issued for a given domain. This will allow unauthorized certificates to addressed and revoked.

Update July 24 2015: With the release of Chrome 44, if the certificate is not logged, then Chrome states "No Certificate Transparency information was supplied by the server."

photo-bruce-morton
Bruce Morton
Director for Certificate Services
Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust, where he has been employed since 1997. His day-to-day responsibilities include managing standards implementations, overseeing Entrust’s policy authority, and monitoring Entrust Certificate Services for industry compliance.
View all of Bruce's Posts