Recently, certain Certificate Authorities (CA) sent out emails to their customers about Certificate Transparency (CT). The emails urged users to enter their non-EV SSL Certificates in both Google’s CT log and one other publicly trusted CT log, such as DigiCert's. If customers did not comply, the emails warned that their domains could be marked as “untrusted” in Chrome after June 1, 2016.
This email worried some domain owners and made some admins wonder if non-EV SSL Certificates should be registered in a CT log.
In short, yes, all SSL Certificates can be and should be logged. Logging OV SSL Certificates is a best practice that offers all the benefits of logging EV SSL Certificates. Further, logging OV Certificates strengthens overall security with no extra cost to domain owners.
CT is an open-framework that CAs, domain owners, or other interested parties use to log their SSL Certificates. This framework helps CAs and domain owners log all SSL Certificates, ensure that those certificates are used correctly, and alert CAs and domain owners when a new certificate is issued for a particular domain. Google created CT to protect CAs, domain owners, and end-users against certificate-based threats.
For example, in July 2011 DigiNotar a Dutch CA issued a fraudulent Wildcard SSL Certificate for Google. Cybercriminals used the fraudulent certificate to perform a man-in-the-middle attack. Later, DigiNotar admitted to issuing several more unauthorized SSL Certificates. Further investigation revealed that DigiNotar mis-issued over 530 certificates. More recently, in 2015, Google discovered that CNNIC issued an intermediate SSL Certificate that a firm based in Egypt used to spoof Google domains.
Because of situations like these rogue or compromised CAs, as well as mis-issued or stolen certificates, Google saw the need to create CT as a way to track, monitor, and audit SSL Certificates. Currently, Google requires EV SSL Certificates to be logged. For even better security, logging OV SSL Certificates can help ensure that domain owners are alerted if their certificate is ever compromised.
Here are some key benefits of registering OV SSL Certificates in a CT log:
Ultimately, there is no reason not to publish OV SSL Certificates along with EV SSL Certificates. Logging OV SSL Certificates creates a better shield against certificate-based threats, costs nothing for domain owners, and requires only a simple phone call to opt-in.