Certificate Transparency: FAQs

On February 1, 2015, the DigiCert Certificate Transparency (CT) Log was the first independent CT log to be incorporated by Google in the Chrome browser. Certificate Transparency is Google’s proposed solution to the, until now, inherent opaqueness of the CA ecosystem. CT provides a way for every certificate issued by any publicly trusted CA to be publicly logged, monitored, and audited. Certificate Transparency’s main goal is to “remedy certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users.”

As DigiCert continues to maintain its CT log and further the goals of Certificate Transparency, we want to address some of your frequently asked questions. If you have a question concerning CT that does not appear here, please tweet at us @digicert, or leave a question in the comments below.

Frequently Asked Questions about Certificate Transparency

Why am I seeing the message: “The identity of this website has been verified by [Issuer] but does not have public audit records” on my site in Chrome?

The certificate installed on the site where you see this message does not have CT enabled for it. In its current version, CT is only required for EV Certificates.

Is CT required for OV/DV certs?

Not currently, but the long-term plan is to have CT enabled for every certificate issued by any trusted CA.

Does not having CT enabled cause a yellow warning icon to appear in the address bar?

No, this warning is typically caused by a SHA-1 certificate that is still in use, or by a server configuration issue. In an earlier article we shed more light on the Google Chrome connection tab.

What’s the recommended way of enabling CT?

We recommend embedding SCTs in your certificates or enabling OCSP Stapling. The CT TLS extension will become a viable alternative once servers have widespread support for it.

Do I have to change anything on my web server?

If you would like to enable CT, contact our Support Team with your account ID or order number. Once enabled, you will need to reissue and install any certificates you’d like CT to affect.

Can I enable CT for individual orders or certificates?

Currently CT is enabled account-wide and will apply to all SSL Certificates generated in your account after CT has been enabled.

Does CT work for Code Signing, Document Signing, and other non-SSL Certificates?

No, CT is only for SSL/TLS Certificates. It does not work for Code Signing, Document Signing, Client, or other certificate types.

DigiCert and the Future of Certificate Transparency

As DigiCert continues to play an active role in the further development of Certificate Transparency, we will stay at the forefront of notifying our customers of the changes and innovations made for CT. Just as innovative web security is our priority, so is the success and satisfaction of our customers.