Certificate Transparency

Impacting Extended Validation SSL

Certificate Transparency (CT), a Google initiative, requires all Extended Validation (EV) SSL certificates, along with certificate details, to be registered in public CT logs before the end of January 2015 in order to continue having the green address bar displayed in Chrome.

Ensure Your Existing EV SSL Certificate Is Whitelisted

Existing EV SSL Certificates that are not reachable (by Common Name or SAN) via the Internet will not be whitelisted (i.e. published on public CT logs) without the customers’ permission. This is in deference to the privacy policies of the organization. Published information cannot be removed from the public CT logs.

Automatic Whitelisting Of Public Facing EV SSL Certificates

EV SSL Certificates on public facing sites or servers will be automatically included in public CT logs (whitelisted) by Google prior to February 2015. This is to ensure that the display of the green address bar remains on for these sites.

The intent is to prevent Certificate Authorities (CA) from issuing SSL Certificates for a domain without the domain owner’s knowledge. Chrome support for CT requires that all Certificate Authorities log all Extended Validation (EV) SSL Certificates in publicly auditable, append-only logs for the green address bar to appear in Chrome. This plan starts from February 2015.

Why Might A Customer Care

Starting on February 2015, websites with EV SSL Certificates will continue to have the green address bar displayed in Chrome only if the EV SSL Certificates have CT proof and have been logged in CT public logs. All the certification information associated with the EV SSL Certificate will also be published in the logs. While this is not an issue for publicly reachable sites, customers may not want the information of their EV SSL Certificates on internal servers to be publicly disclosed.

Important Facts

This is an initiative that applies to all EV SSL Certificates, from all issuers.

Existing EV SSL certificates for external facing websites will be automatically published (whitelisted) in the public CT logs before December 2014 to ensure the continuous display of the green address bar in Chrome. There is no action required from EV SSL customers with external facing websites.

Certificate details will be logged along with the listing of the EV SSL Certificate in the public CT logs. Information logged cannot be removed.

In deference to applicable privacy policies, EV SSL Certificates that are not reachable (by Common Name or SAN) via the internet, also known as internal EV SSL Certificates, will not be published (whitelisted) in the public CT logs. We are reaching out to customers to get their consent for these internal EV SSL Certificates to be whitelisted before November 30 2014.

After December 9 2014, any existing internal EV SSL Certificate that needs to be published in the public CT logs will need to be replaced, possibly at cost to the customer. At Certificate replacement, customers can leverage a CT feature to enable the publication of the internal EV SSL Certificate.

Starting on December 2014 EV SSL Certificates will be automatically logged in public CT logs.

An external facing website is defined when we have attempted to connect to a website using secure communications (HTTPS) and a response was received.

An internal facing website is defined when we have attempted to connect to the website using secure communications (HTTPS) and a response was not received; this is an internal-facing website that is not accessible without proper authorization from outside of the private network.

At this time only Chrome have adopted this requirement.