Certificate Transparency frequently asked questions
What is Certificate Transparency?
What CT option should I choose?
What about certificates I already have?
What about certificates and domains I have to keep private?
What if my certificate has both internal and external SAN names?
What if I choose full domain name logging for CT and then change my mind?
What are the exact dates that Certificate Transparency became an option during enrollment?
What certificate information appears in the public log?
How is this information used?
How to identify if a certificate is CT enabled?
How do I replace my certificate to add CT?
Where can I learn more about CT?
Certificate Transparency (CT) helps you monitor certificates issued for your domains by making the certificate information available in a public log.
To ensure we offer the best certificate security, and to provide a good browsing experience on your website, Symantec SSL/TLS certificates now provide two logging options for CT:
- Full domain names: Publicly logs root domain names and subdomains in the certificate. Recommended for all public websites.
- Only root domain names: Publicly logs only root domain names in the certificate. Intended only for private internal domains.
CT lets domain owners view all certificates issued for their domain and identify Certificate Authorities (CAs) that issued any unrecognized certificates.
CT helps verify that a website’s certificate is properly issued, but it does not replace the rigorous verification procedures that Symantec and other CAs employ.
Full domain names is recommended for public websites. All fully-qualified domain names (common name and subject alternative names) that appear in the certificate are logged as abc.example.com.
For Extended Validation (EV) certificates, Google Chrome shows the green address bar.
Figure 1: Example of the green address bar that EV certificates display in Chrome
For all other certificate types, Google Chrome provides a normal browsing experience.
Only root domain names logs root domain names only, and hides subdomains. All fully-qualified domain names (e.g., abc.example.com) that appear in the certificate are logged as ?.example.com.
Note: Symantec recommends full domain name logging (the default option) for all websites unless you require a privacy or security exception to keep subdomain names private. Keep in mind that for external (public-facing) websites, your certificate information is already publicly available.
Choose root domain names only if you want to keep your subdomain names private.
For EV certificates, Google Chrome disables the green address bar. All certificates with root domain logging may display browser warnings when users connect to the website.
All certificates issued after June 1, 2016 include CT. If you requested a certificate without CT before June 1 but it was issued after June 1, Symantec enabled CT and logged root domain names only.
For certificates without CT issued before June 1, 2016, make sure your website won’t display unexpected browser warnings in Google Chrome.
Choose the Only root domain names option during certificate enrollment. This option keeps the unique subdomain names private (?.example.com).
At this time, Google Chrome doesn’t recognize root-only CT log entries, and Chrome may show a warning that the connection is “not private” or “untrusted” when internal users connect to your private domains. To disable CT warnings for your trusted private domains, apply the CT exemption policy to devices with Chrome/Chromium-based applications.
If you need to keep your internal domain names private, we recommend you request separate certificates for internal and external domains. For internal domains, choose the option "Only root domain names" during enrollment.
Once you choose full domain name logging for a certificate, you cannot delete the subdomain information from the log. Even if you revoke and replace the certificate and choose root domain logging, the subdomain information from the previous certificate remains in the log.
Extended Validation: December 2014
Organization Validation: January 2016
All information in your certificate appears in the public CT log, including the full certificate chain.
Note that for external (public-facing) websites, this information is already publicly available.
Owners of certificates can use CT logs to determine if their certificate is properly issued, but need the proper software and programmatic resources to gain access to the logs.
Certificate Transparency logs
Symantec, Google, and other industry leaders currently host the main CT logs:
Root domain name logs
Symantec hosts the CT log for certificates logged by root domain name only:
|Base64 Log ID||p85KTmIH4K3e5f2qSx+GdodntdACpV1HMQ5+ZwqV6rI=|
|Started||June 1st 2016|
|Public Key||-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Note: Deneb is NOT trusted by Chrome, and CT auditors or monitors should not copy entries from Deneb into any public CT log trusted by Chrome.
Other people and companies that have access to the logs can use the information as they see fit. Note that if your certificate is publicly reachable, anyone can see that information today.
- How to identify if a certificate is enabled from Symantec Trust Center
- How to identify if a certificate is enabled from Symantec Partner