To Resources

Certificate Transparency

2018.05.10

After April 2018, all TLS certificates issued by Buypass support Certificate Transparency (CT). Our SSL Evident certificates have supported CT since 2015. After April 2018 this applies to all TLS certificates.

Background

Google enforces that all TLS certificates issued after April 2018 must comply with their Certificate Transparency policy in order to be trusted in Chrome - see https://github.com/chromium/ct-policy for more details.

What is Certificate Transparency?

Certificate Transparency is about transparency and accountability. By enforcing that every TLS certificate must be published in open and publicly available logs, it is possible to monitor all TLS certificates issued in near real time. This makes it possible to monitor all certificates issued to specific domain names, for example those controlled by yourself.

Certificate Transparency is an open framework for monitoring and auditing the TLS certificates. The main purpose of CT is to improve the security online by bringing accountability into the WebPKI ecosystem. A Certificate Authority (CA) trusted by browsers is trusted to issue certificates for any domain and there has been incidents involving mis-issuance from CAs.

Certificate Transparency is an ambitious project lead by Google, which adds greater transparency around issuance of TLS certificates. We consider the CT ecosystem to be an extension to the WebPKI ecosystem where domain owners can monitor and quickly identify mis-issued certificates.

The CT ecosystem introduces new participants in addition to browsers and CAs like CT Log operators, CT auditors and monitors. See https://www.certificate-transparency.org/ for more information about the CT ecosystem.

How to prove that TLS certificates are CT compliant for browsers?

CT compliant browsers (like Chrome) requires that any TLS certificate must be accompanied by a proof from a qualified CT log to be trusted. A CT log issues a Signed Certificate Timestamp (SCT) when a certificate is submitted to the log and the SCT acts as a proof for inclusion in the CT log.

The most efficient method for delivering an SCT to the browser is by embedding the SCTs into the certificate at the time of issuance.

This complicates the issuance process, since the CA must prepare a pre-certificate and submit this to a number of CT logs in accordance with Google’s CT policy (2 or 3 CT logs dependent of the certificate validity period). Each CT log returns an SCT for the pre-certificate as a proof of inclusion. Then the SCTs are embedded into the final certificate at time of issuance.

Anybody can submit a certificate to a CT log and receive a proof (SCT) from the log to be presented for the browser. There are multiple ways an SCT can be presented to the browser, e.g. by using extension to the TLS protocol. However, this requires that the servers support the TLS-extension and that site operators configure their servers properly. This is not trivial and might introduce errors.

The easiest and most efficient way of presenting SCTs to the browsers is by embedding the SCTs into the certificate. i.e. the SCTs are transported to the browser as a part of the certificate. The TLS certificate is presented for the browser as a part of the standard TLS handshake protocol.

What does Buypass do?

From end of April 2018 Buypass will support Certificate Transparency by embedding SCTs into all TLS certificates at time of issuance.

Anyone choosing TLS certificates from Buypass can be sure that their certificates will be trusted by browsers requiring CT compliance (like Chrome).