AnsweredAssumed Answered

How is certificate checked for "Certificate Transparency"?

Question asked by j-mailor on Jan 18, 2017
Latest reply on Jan 20, 2017 by j-mailor

Hi,
I checked one of the servers that got new certificate yesterday from Let's Encrypt CA

 

Test on ssllabs.com reports "Certificate Transparency: No", but looking directly into log I see this certificate was logged.

 

 

 

Also statement from Let's Encrypt https://letsencrypt.org/certificates/ web site: "We are dedicated to transparency in our operations and in the certificates we issue. We submit all certificates to Certificate Transparency logs as we issue them."

 

How does ssllabs.com determinate if certificate is logged into CT? Does it checks against real time database?

 

EDIT: I have checked tree domains out of the Let's Encrypt list: https://crt.sh/?Identity=%25&iCAID=16418 and found out all of them have got "CT = No" in ssllabs.com test. Is this Let's Encrypt specific in sslabs test?

 

Additional: I suggest to mark "Certificate Transparency: No" with orange colour. Why?
a) Google Chrome https://threatpost.com/google-to-make-certificate-transparency-mandatory-by-2017/121651/ is going to require certificate to be logged into CT by October 2017.
b) If there is DNS CAA marked with orange colour then in my humble opinion "CT = No" should also be in orange colour.
Regards

Outcomes