DigiCert Blog

Clearing Up Confusion about Certificate Transparency Requirements

Google does not require DigiCert to enable CT for all Organization Validated SSL Certificates.

Some SSL Certificate customers have received emails from other Certificate Authorities (CA) that say they must enable Certificate Transparency (CT) for all their SSL Certificates. These emails urge customers to enable CT for “all” their SSL Certificates by June 1, 2016 otherwise their site(s) may be deemed “untrusted” in Google’s Chrome browser.

This has caused confusion for admins. These emails have not been sent by DigiCert and do not pertain to DigiCert-issued OV SSL Certificates (e.g., SSL Plus, Multi-Domain SSL, Wildcard). No action is required for DigiCert customers.

Background on Certificate Transparency

Beginning January 1, 2015, Google required all CAs to log EV SSL Certificates in the Google-operated CT log and another independent CT log recognized by Google. Google developed CT logs to help organizations identify SSL Certificates that are issued for them and their domains. CT logs also help admins and CAs identify when unauthorized SSL Certificates are issued for an organization and their domains.

Because of the misissuance of certificates for Google and other unauthorized domains, Google requires only certain CAs to support Certificate Transparency in all their SSL Certificates. Other CAs may continue with no change to Chrome CT Policy requirements, logging only EV SSL Certificates in the CT logs.

DigiCert Only Enables CT for EV Certificates

This requirement by Google does not affect DigiCert and DigiCert-issued OV SSL Certificates. DigiCert is only required to enable CT for all EV SSL Certificates, which DigiCert does by default.

It is a security best practice to enable CT for all SSL Certificates, and DigiCert customers can enable CT for their organization’s OV SSL Certificate(s) simply by contacting our support team at support@digicert.com.

Customers who have certificates with other CAs should contact their CA if they are unsure whether or not they need to enable CT for all their SSL Certificates.

Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn21