Adding certificates to the Certificate Transparency (CT) logs.

SSL

We resell Comodo SSL certificates and we offer our customers with savings on the purchase of SSL certificates.

Background

"Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy. After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant. Sub-resources served over https connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools." -- Devon O'Brien on Chromium CT Policy Mailing List

Comodo CA's Position

All COMODO CA issued TLS/SSL certificates, since 23 March 2018, comply with Chromium's CT Policy, therefore COMODO CA customers need not take any action at this time to include certificates issued on or after such a date in any known CT Log to be compliant with Google's Chrome mandate for April 2018.

Enforcement of CT compliance will only apply to certificates issued after April 2018; certificates issued before this date are unaffected and do not require registration in a known CT Log.

Certificate Transparency (CT) requires that all TLS clients (e.g. Google Chrome) must support the following three mechanisms for including the Signed Certificate Timestamp (SCT) in the TLS handshake:
  • X509v3 Extension
  • TLS Extension
  • OCSP Stapling
As such servers can use any one of these mechanisms to return CT information to TLS clients.
 
Comodo CA makes use of an X509v3 extension and includes (embeds) SCTs within the certificate itself.

Manually adding a Certificate to a Certificate Transparency (CT) Log

     If one wishes to submit a certificate, issued prior to 23 March 2018, to one or more known (to Google Chrome) CT Logging endpoints, please follow these instructions:

  1. Please navigate to -- https://crt.sh/gen-add-chain
    • Open the certificate using a text editor
    • Copy and Paste the certificate into the blank field
    • Click the "Generate JSON" button
    • POST the outputted JSON file to a log's '/ct/v1/add-chain' endpoint using a command such as:

                wget --post-file <json_file> https://mammoth.ct.comodo.com/ct/v1/add-chain 

  2. After receiving the SCT back one will then need to configure their TLS server to serve the SCT.
  3. Use any current version of Google Chrome (e.g. 65.0.3325.181) & confirm if CT information is shared over the TLS session.

 

Additional Resources:

Comodo CA's CT Log URLs:

 

Google's CT Log URLs:

 

A list of logs can be found at: https://crt.sh/monitored-logs