We resell Comodo SSL certificates and we offer our customers with savings on the purchase of SSL certificates.

Background

"Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy. After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant. Sub-resources served over https connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools." -- Devon O'Brien on Chromium CT Policy Mailing List

Comodo CA's Position

All COMODO CA issued TLS/SSL certificates, since 23 March 2018, comply with Chromium's CT Policy, therefore COMODO CA customers need not take any action at this time to include certificates issued on or after such a date in any known CT Log to be compliant with Google's Chrome mandate for April 2018.

Enforcement of CT compliance will only apply to certificates issued after April 2018; certificates issued before this date are unaffected and do not require registration in a known CT Log.

Certificate Transparency (CT) requires that all TLS clients (e.g. Google Chrome) must support the following three mechanisms for including the Signed Certificate Timestamp (SCT) in the TLS handshake:

X509v3 Extension
TLS Extension
OCSP Stapling

As such servers can use any one of these mechanisms to return CT information to TLS clients.

Comodo CA makes use of an X509v3 extension and includes (embeds) SCTs within the certificate itself.

Manually adding a Certificate to a Certificate Transparency (CT) Log

If one wishes to submit a certificate, issued prior to 23 March 2018, to one or more known (to Google Chrome) CT Logging endpoints, please follow these instructions:

Please navigate to -- https://crt.sh/gen-add-chain
- Open the certificate using a text editor
- Copy and Paste the certificate into the blank field
- Click the "Generate JSON" button
- POST the outputted JSON file to a log's '/ct/v1/add-chain' endpoint using a command such as:
wget --post-file <json_file> https://mammoth.ct.comodo.com/ct/v1/add-chain
After receiving the SCT back one will then need to configure their TLS server to serve the SCT.
- Note: For resources pertaining to the configuration of the TLS extension on a TLS Server, please see CT's website for Site Owners.
Use any current version of Google Chrome (e.g. 65.0.3325.181) & confirm if CT information is shared over the TLS session.
- For more information pertaining to Google Chrome & Certificate Transparency, please see CT's website for CT in Google Chrome

Additional Resources:

Comodo CA's CT Log URLs:

Google's CT Log URLs:

A list of logs can be found at: https://crt.sh/monitored-logs

Article ID: 1975, Created: June 26, 2018 at 1:05 AM, Modified: June 26, 2018 at 1:05 AM

Adding certificates to the Certificate Transparency (CT) logs.

We resell Comodo SSL certificates and we offer our customers with savings on the purchase of SSL certificates.

Background

Comodo CA's Position

Manually adding a Certificate to a Certificate Transparency (CT) Log

Share this article