Since May 2018, every SSL certificate has been issued in accordance with the concept of Certificate Transparency, developed by Google. This mechanism is essentially a large database that enables, among other things, the swift detection of incorrectly issued certificates. CT (Certificate Transparency) operates through log servers, to which certificate authorities send information about the certificates they issue. In return, they receive an SCT (Signed Certificate Timestamp), which is then embedded in the structure of the certificate.
Characteristics of Certificate Transparency
SSL certificates are currently issued by authorities all over the world. Despite a wide range of protective procedures and safeguards, the certificate issuance process does not always go smoothly. A mistake typically results in the improper issuance of a certificate, which can then be exploited to intercept confidential data. The aim of the Certificate Transparency mechanism is to protect users from such threats. While CT does not prevent an erroneous certificate from being issued, it does allow for its quick identification and the initiation of specific revocation measures. This effectively blocks the potentially dangerous use of an SSL certificate.
Main Principles of Certificate Transparency
The CT system began to be widely adopted at the beginning of 2015. At that time, Google introduced specific requirements for Extended Validation (EV) certificates, which must be submitted to so-called log servers before issuance. If a trusted certificate authority fails to meet this requirement, Google Chrome will label the site as unsafe. The idea behind Certificate Transparency therefore relies primarily on public disclosure of SSL certificates by certificate authorities at the moment they are issued. This takes place by publishing certificates on the appropriate log servers—these servers allow only the addition of new certificates, making it impossible to remove or modify existing entries. Users who are interested in the contents of this database can search it and independently verify the validity of all issued SSL certificates.
Certificate Transparency and the Chrome Browser
Since Google developed Certificate Transparency, the company oversees the entire policy governing this mechanism. Currently, it stipulates that all certificates issued after April 30, 2018, must be logged on CT log servers; otherwise, Chrome will deem the SSL certificates untrusted and display an error message rather than loading the page. Given Chrome’s extensive popularity, the risk of certificate authorities failing to comply with this requirement is fortunately quite low.
Compliance with Certificate Transparency
Holders of SSL certificates issued before the end of April 2018 need not worry. The changes introduced by Google apply only to those certificates issued after May 1, 2018. Therefore, when generating a new SSL certificate, it is advisable to ensure that it contains the required number of SCTs (Signed Certificate Timestamps). These timestamps confirm that the certificate has been verified by the requisite number of Certificate Transparency log servers.
SCTs are provided to browsers in various ways, such as through an extension within the certificate itself, a TLS extension, or via OCSP (Online Certificate Status Protocol) stapling. The first method is currently by far the most popular. Certificates valid for fewer than 15 months should include at least 2 SCTs, whereas those valid for 15 to 27 months should include at least 3 SCTs.