Overview

Certificate Transparency is an extension of the current SSL issuance and monitoring system to provide publicly auditable logs from Certificate Authorities (CA's) so that the detection of mistakenly issued or maliciously acquired occurrences can be easily detected.

In Google Chrome, you will see a message like "SSL certificate does not have public audit records". For example, a certificate currently issued by RapidSSL will look like this:

certificate transparency - rapid ssl example

This does NOT indicate that there is an issue with the certificate or website. As indicated by the green lock, this is still a valid certificate which has been served correctly by the website.
 

Full Certificate Transparency Support

To provide full support for Certificate Transparency, this will require both support on the server and via the CA. At present (April 2014), for almost all hosting services this isn't supported by the server. The changes to the required packages (OpenSSL) is currently scheduled for version 1.0.2, however this may be subject to change. There's no guarantee that this will be backported to current Red Hat / CentOS releases, which means it would have to come from a third party repository.

As the certificates are still valid without this support, Conetix recommends waiting until there is full support by all CA's and also by standard system packages. The extra transparency will provide additional security assurance for SSL's going forward to provide further assurance that the SSL certificate is correct.

Further Reading

Official Site: https://www.certificate-transparency.org/

Current RFC (Experimental): https://tools.ietf.org/html/rfc6962

Google Group Discussion: https://groups.google.com/forum/#!forum/certificate-transparency

Was this article helpful?

Related Articles