Certificate Transparency

Certificate Transparency (CT) is a new Internet standard that addresses the concern of mis-issued certificates and certificate repudiation by making the Transport Layer Security (TLS) ecosystem publicly auditable. Without CT, as a domain owner, there was no way to be aware of certificates issued to your domain by the various public CAs, unless you yourself requested it from each CA. With CT it is easy to audit the quality of the certificates that certificate authority (CA) issued and determine if they conform to the standards enforced by the CA and Browser Forum (CAB Forum). https://tools.ietf.org/html/rfc6962

Google Chrome is one of the first browsers to enforce from April 30th 2018 onwards that every TLS/SSL certificates are in approved CT logs in order for it to be trusted. Soon other browsers are going to adopt the same standard. Google Chrome browser will require a signed certificate timestamp (SCT) in order to trust the certificate without displaying an error message. SCT confirms the log server will add the certificate to the list of known certificates.

https://groups.google.com/a/chromium.org/d/msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

Microsoft supports the Certificate Transparency initiative, and all certificates issued to Microsoft properties will contain SCT extension from April 12th onwards. Microsoft’s CT support includes the following:

  • Microsoft CA or Active Directory Certificate Service (ADCS) now supports pre-certificates to facilitate CT logging. https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency
  • Azure Key Vault supports enrollment of certificates from Digicert, GlobalSign and DTrust and these CAs have added the support to add SCT extensions in certificates issued by them.
  • At the same time we understand that there can be times when Azure customers do not want to have SCT extension in their certificate as it might lead to information disclosure of domain names. The above integrated CAs provides the capability at the account level to disable or enable CT logging.

Rashmi Jha

Program Manager, Azure Key Vault