RapidSSL Transitions to Google’s Certificate Transparency Initiative

Categorised in: ,

February 3, 2016 11:33 am | Published by Matt

Rapid SSL have moved to support Google’s Certificate Transparency (CT) initiative by introducing CT logging for their security certificates and may be something that other SSL Certificate providers will be implementing in the near future.

Google CT

What is Certificate Transparency?

CT has been developed by Google to log, audit and monitor Certificate Authorities’ issuances. At present, authorities must detail Extended Validation certificates in public append-only logs but other certificates require no logging.

In time though, this is all set to change. There are solid plans on the horizon for all SSL/TLS certification to be logged in the future.

What Is Certificate Transparency Trying to Achieve?

The principle aim of CT is to provide greater transparency to the issue of certificates and SSL and TLS details can now be registered in publicly accessible CT logs. This enables webmasters to actively monitor a domain’s issued certificates to check for uniqueness.

CT will not be a direct replacement for RapidSSL and other Certificate Authorities’ authentication procedures but work beside them as a further verification and uniqueness tool.

What Information Will Be Made Public?

Once enable, CT logging will make the details of your SSL/TLS certificate readily available, including:

  • Common name and subject alternative name(s)
  • Serial number
  • Valid from and to dates
  • Organisation details
  • Issuer
  • Certificate extensions
  • Certificate chain up to, but not inclusive of the root, including any relevant intermediate Certificate Authority certificates

How will Certificate Transparency Impact Google Chrome?

Google Chrome is the most popular web browser worldwide so there’s a high probability that quite a few visitors to your site will be using Chrome. CT will undoubtedly bring a whole new level of user experience, security and overall user experience will remain at the high standard currently in place. The current state of play with Google Chrome can be tracked on The Chromium Projects site here: https://www.chromium.org/Home/chromium-security/certificate-transparency.

In fact, RapidSSL are strongly advising that certificate details are entered into the public log as Chrome users will be faced with security messages and warnings for unlisted certificates issued after 1st June 2016.

How Do I Make Sure My SSL/TLS Certificate Details Are Logged?

Default settings for SSL/TLS certificates, new, reissued or renewed on or after 29th February 2016, enable certificate details to automatically be logged.

You can change default settings but external parties however may still publish details if your site is publicly accessible.

SSL and TLS certificates dated pre June 2016 will not be logged and domain owners need take no action and will not be negatively affected by the initiative.

What Happens If I Change My Mind?

Once you have opted in and a certificate’s information has been cleared for public logging, there is no going back. All information regarding the certificate and its details is open to the public and cannot be removed. Even a revoked certificate replaced with a new one opted out of CT will not remove your old certificate’s details from the log.

If you choose not to enable CT for a certificate but change your mind further down the line, it is simply a case of replacing the certificate and opting in for CT logging.

For further information relating to the Google’s Certificate Transparency innitiative, please visit the official site: https://www.certificate-transparency.org/.

share this article: