Certificate Transparency for Symantec SSL Certificates

General Information ID:    INFO2177    Updated:    11/28/2017

Description

Certificate Transparency frequently asked questions

What is Certificate Transparency?
What CT option should I choose?
What about certificates I already have?
What about certificates and domains I have to keep private?
What if my certificate has both internal and external SAN names?
What if I choose domain name logging and then change my mind?
What are the exact dates that Certificate Transparency became an option during enrollment?
What certificate information appears in the public log?
How is this information used?
How to identify if a certificate is CT enabled?
How do I replace my certificate to add CT?
Where can I learn more about CT?

What is Certificate Transparency?

Certificate Transparency (CT) helps you monitor certificates issued for your domains by making the certificate information available in a public log.
To ensure we offer the best certificate security, and to provide a good browsing experience on your website, Symantec SSL/TLS certificates provide two logging options for CT:

  • Log domain names for best security (recommended for all public websites): Provides the best browsing experience to your customers and helps you monitor certificates issued for your domains.
     
  • Don't log private domain names (don't use for public websites): Intended for private domains to keep internal names hidden from public. However, Google Chrome shows warnings when anyone connects to your site.

CT lets domain owners view all certificates issued for their domain and identify Certificate Authorities (CAs) that issue unrecognized certificates.

CT helps verify that a website’s certificate is properly issued, but it does not replace the rigorous verification procedures that Symantec and other CAs employ.

 

What CT option should I choose?

Choose Log my domain names  for public websites. All fully-qualified domain names (common name and subject alternative names) that appear in the certificate are logged

For Extended Validation (EV) certificates, Google Chrome shows the green address bar.

For all other certificate types, Google Chrome provides a normal browsing experience.

Don’t log domain names if you want to keep internal domain names private.
Note:  Choose this option only if you require a privacy or security exception to keep domain names private. Choosing this option results in browser warnings when anyone connects to your site. Also keep in mind that for external (public-facing) websites, your certificate information is already publicly available.

 

What about certificates I already have?

For certificates issued before June 1, 2016 without CT domain logging, make sure your website won’t display unexpected browser warnings in Google Chrome.

 

What about certificates and domains I have to keep private?

Choose Don't log my domain names during certificate enrollment. This option keeps the domain names private and hidden from public.

However, Google Chrome shows warnings when anyone connects to your site. To disable CT warnings for your trusted private domains, apply the CT exemption policy to devices with Chrome/Chromium-based applications.

 

What if my certificate has both internal and external SAN names?

If you need to keep your internal domain names private, request separate certificates for internal and external domains. For internal domains, choose Don't log my domain names during enrollment.

 

What if I choose domain name logging and then change my mind?

Once you choose domain name logging for a certificate, you cannot delete the domain information from the log. Even if you revoke and replace the certificate and choose “Don't log my domain names”, the domain information from the previous certificate remains in the log.

 

What are the exact dates that Certificate Transparency became an option during enrollment?

Extended Validation: December 2014
Organization Validation: January 2016
 

All information in your certificate appears in the public CT log, including the full certificate chain.

Note that for external (public-facing) websites, this information is already publicly available.

 
How is this information used?

Owners of certificates can use CT logs to determine if their certificate is properly issued, but need the proper software and programmatic resources to gain access to the logs.
 

Certificate Transparency logs
Symantec, Google, and other industry leaders currently host the main CT logs:
http://www.certificate-transparency.org/known-logs


Root domain name logs
Symantec hosts the CT log for certificates logged by root domain name only:

 CT Address  https://deneb.ws.symantec.com/ct/v1
 Base64 Log ID  p85KTmIH4K3e5f2qSx+GdodntdACpV1HMQ5+ZwqV6rI=
 Started  June 1st 2016
 Public Key -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEloIeo806gIQel7i3BxmudhoO+FV2
nRIzTpGI5NBIUFzBn2py1gH1FNbQOG7hMrxnDTfouiIQ0XKGeSiW+RcemA==
-----END PUBLIC KEY-----


Note: Deneb is NOT trusted by Chrome, and CT auditors or monitors should not copy entries from Deneb into any public CT log trusted by Chrome.

Other people and companies that have access to the logs can use the information as they see fit. Note that if your certificate is publicly reachable, anyone can see that information today.

 

How to identify if a certificate is CT enabled?

How do I replace my certificate to add CT?

Contact Support

Find Answers