Certificate Transparency for Symantec SSL Certificates

General Information ID:    INFO2177    Updated:    08/22/2016

Description

Certificate Transparency frequently asked questions

What is Certificate Transparency?
What CT option should I choose?
What about certificates I already have?
What about certificates and domains I have to keep private?
What if my certificate has both internal and external SAN names?
What if I choose full domain name logging for CT and then change my mind?
What are the exact dates that Certificate Transparency became an option during enrollment?
What certificate information appears in the public log?
How is this information used?
How to identify if a certificate is CT enabled?
How do I replace my certificate to add CT?
Where can I learn more about CT?

What is Certificate Transparency?

Certificate Transparency (CT) helps you monitor certificates issued for your domains by making the certificate information available in a public log.

To ensure we offer the best certificate security, and to provide a good browsing experience on your website, Symantec SSL/TLS certificates now provide two logging options for CT:

  • Full domain names: Publicly logs root domain names and subdomains in the certificate. Recommended for all public websites.
  • Only root domain names: Publicly logs only root domain names in the certificate. Intended only for private internal domains.
     

CT lets domain owners view all certificates issued for their domain and identify Certificate Authorities (CAs) that issued any unrecognized certificates.

CT helps verify that a website’s certificate is properly issued, but it does not replace the rigorous verification procedures that Symantec and other CAs employ.
 

What CT option should I choose?

Full domain names is recommended for public websites. All fully-qualified domain names (common name and subject alternative names) that appear in the certificate are logged as abc.example.com.

For Extended Validation (EV) certificates, Google Chrome shows the green address bar.

Figure 1: Example of the green address bar that EV certificates display in Chrome


For all other certificate types, Google Chrome provides a normal browsing experience.

Only root domain names logs root domain names only, and hides subdomains. All fully-qualified domain names (e.g., abc.example.com) that appear in the certificate are logged as ?.example.com.

Note: Symantec recommends full domain name logging (the default option) for all websites unless you require a privacy or security exception to keep subdomain names private. Keep in mind that for external (public-facing) websites, your certificate information is already publicly available.

Choose root domain names only if you want to keep your subdomain names private.

For EV certificates, Google Chrome disables the green address bar. All certificates with root domain logging may display browser warnings when users connect to the website.

 

What about certificates I already have?

All certificates issued after June 1, 2016 include CT. If you requested a certificate without CT before June 1 but it was issued after June 1, Symantec enabled CT and logged root domain names only.

For certificates without CT issued before June 1, 2016, make sure your website won’t display unexpected browser warnings in Google Chrome.

 

What about certificates and domains I have to keep private?

Choose the Only root domain names option during certificate enrollment. This option keeps the unique subdomain names private (?.example.com).

At this time, Google Chrome doesn’t recognize root-only CT log entries, and Chrome may show a warning that the connection is “not private” or “untrusted” when internal users connect to your private domains. To disable CT warnings for your trusted private domains, apply the CT exemption policy to devices with Chrome/Chromium-based applications.

 

What if my certificate has both internal and external SAN names?

If you need to keep your internal domain names private, we recommend you request separate certificates for internal and external domains. For internal domains, choose the option  "Only root domain names" during enrollment.

 

What if I choose full domain name logging for CT and then change my mind?

Once you choose full domain name logging for a certificate, you cannot delete the subdomain information from the log. Even if you revoke and replace the certificate and choose root domain logging, the subdomain information from the previous certificate remains in the log.
 

What are the exact dates that Certificate Transparency became an option during enrollment?

Extended Validation: December 2014
Organization Validation: January 2016
 

All information in your certificate appears in the public CT log, including the full certificate chain.

Note that for external (public-facing) websites, this information is already publicly available.

 
How is this information used?

Owners of certificates can use CT logs to determine if their certificate is properly issued, but need the proper software and programmatic resources to gain access to the logs.
 

Certificate Transparency logs
Symantec, Google, and other industry leaders currently host the main CT logs:
http://www.certificate-transparency.org/known-logs


Root domain name logs
Symantec hosts the CT log for certificates logged by root domain name only:

 CT Address  https://deneb.ws.symantec.com/ct/v1
 Base64 Log ID  p85KTmIH4K3e5f2qSx+GdodntdACpV1HMQ5+ZwqV6rI=
 Started  June 1st 2016
 Public Key -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEloIeo806gIQel7i3BxmudhoO+FV2
nRIzTpGI5NBIUFzBn2py1gH1FNbQOG7hMrxnDTfouiIQ0XKGeSiW+RcemA==
-----END PUBLIC KEY-----


Note: Deneb is NOT trusted by Chrome, and CT auditors or monitors should not copy entries from Deneb into any public CT log trusted by Chrome.

Other people and companies that have access to the logs can use the information as they see fit. Note that if your certificate is publicly reachable, anyone can see that information today.

 

How to identify if a certificate is CT enabled?

How do I replace my certificate to add CT?

Contact Support

Find Answers