AnsweredAssumed Answered

How is certificate checked for "Certificate Transparency"?

Question asked by j-mailor on Jan 18, 2017
Latest reply on Jan 20, 2017 by j-mailor

I checked one of the servers that got new certificate yesterday from Let's Encrypt CA


Test on reports "Certificate Transparency: No", but looking directly into log I see this certificate was logged.




Also statement from Let's Encrypt web site: "We are dedicated to transparency in our operations and in the certificates we issue. We submit all certificates to Certificate Transparency logs as we issue them."


How does determinate if certificate is logged into CT? Does it checks against real time database?


EDIT: I have checked tree domains out of the Let's Encrypt list: and found out all of them have got "CT = No" in test. Is this Let's Encrypt specific in sslabs test?


Additional: I suggest to mark "Certificate Transparency: No" with orange colour. Why?
a) Google Chrome is going to require certificate to be logged into CT by October 2017.
b) If there is DNS CAA marked with orange colour then in my humble opinion "CT = No" should also be in orange colour.