Starting February 1, 2018 DigiCert will submit all newly issued and publicly trusted SSL certificates to Certificate Transparency (CT) logs by default. In the interest of improving our customer’s security and encouraging adoption, we are making this change ahead of Google’s industry-wide requirement that goes into effect in April 2018. CT logging has only been required for EV certificates since 2015.
This change will happen automatically on February 1st. Your publicly trusted DigiCert SSL Certificates issued on or after that date will include pieces of data called “SCTs”—Signed Certificate Timestamps. These are embedded directly into the certificate and tell client software, like web browsers, that the certificate has been logged. When Google Chrome begins enforcing CT compliance in April, your certificates will already be compatible. You don’t need to do anything unless you don’t want your certificates logged.
CT is a system that strengthens the Certificate Authority (CA) and PKI systems. CAs submit the certificates they issue into publicly available databases—known as “logs”—where the certificates can be monitored and searched.
This improves security in two ways:
DigiCert has been a strong supporter of the Certificate Transparency (CT) initiative since its inception. In 2012, we lent considerable staff time testing CT implementations in advance of Google making CT officially available. In 2013, we became the first CA to offer the option to log certificates. On December 31, 2014, our log was approved by Google, becoming the first independent log for CT, critical to Google’s mandatory EV certificate logging. And this year we launched a series of high-performance logs, built on our own software, which will support the future scale of PKI.
As Google will be requiring logging from all certificates issued after April 2018, we are encouraging users to have their certificates logged ahead of that industry-wide requirement. (Note: private roots/PKIs are not part of this requirement.) Certificates issued after April must be logged if you want them to be trusted by Chrome. Unlogged certificates will be treated similar to an expired or self-signed certificate and present a full-page warning.
We will provide the option to opt out of logging, however, this is only necessary if you are aware of specific reasons why your certificates should not be publicly logged. If you want to opt out all future certificates, you can do so by contacting your account representative or our Support team. If you have a CertCentral account, you have the additional option of opting out on a per-certificate basis.
Note: All Symantec-branded certificates, including Thawte, GeoTrust, and RapidSSL, are already logged by default and this announcement has no impact on those products.