What is Certificate Transparency?
Certificate Transparency (CT) is an initiative and project in the Web PKI arena whose goal is to improve the robustness of the Web PKI, provide visibility into SSL/TLS certificate issuance to domain owners, business owners, CAs (Certificate Authority), and certificate subscribers, and to improve the overall security of the internet.
Certificate transparency makes it possible and easier to identify misissued certificates, certificates issued close to the same domain as a legit domain (i.e. example.com vs exampie.com), or just mistakenly issued. With early detection of such certificates, users can reach out to the CAs that have issued the certificates and request them to be revoked or at least analyzed for possibly malicious or mistaken activity.
It is a practical solution with many benefits added to the robustness of the Web PKI. With better oversight of digital certificates, trust is strengthened across the internet.
Certificate Transparency logs
CT logs are append-only, cryptographically secure, and publicly auditable. Upon each issued certificate by a publicly trusted CA, the certificate will be appended to a set of CT logs. Logs are independent and do not sync up with each other. In addition to the certificate, a Signed Certificate Timestamp (SCT) is added along with the certificate, acting as the glue and being delivered during the SSL/TLS handshake.
Log operations include:
- X.509v3 extension – arguably the most common, the CA returns the SCT and server admins continue managing certificates as they always have.
- TLS extension – this operation requires the server admin to submit the certificate to a CT log, get the SCT, and return it in the TLS handshake.
- OCSP stapling – return the SCT in the OCSP extension during the TLS handshake.
The EJBCA enterprise edition software will handle certificate transparency functions for you.
Searching Certificate Transparency logs
A seemingly ubiquitous application for searching certificate transparency logs is located at https://crt.sh.
Brief examples for using the site include:
- To search certificates for a given domain, enter the domain name to find all certificates issued for that domain.
- Click on a returned certificate to check:
- Revocation status by CRL or OCSP.
- See the SCTs
- View certificate data and attributes
openssl certificate transparency
To verify that a website’s certificate is using CT, run the following command from a Linux system along with a ct_log_list.cnf.
openssl s_client -connect example.com:443 -ct -CApath /etc/ssl/certs/
Certificate Transparency Requirements
In order to be trusted and accepted by most modern browsers, TLS certificates must be logged in CT logs and have an SCT returned. If no SCT is being returned, the browser will not trust the certificate which will then cause an interruption to you website or business.
Additional CT resources
- Although not as frequently updated these days, the official discussion forum can be found by searching for the certificate transparency google group.