CertCentral Public SSL/TLS Certificate CT Logging Guide

Similar documents
CertCentral API Public SSL/TLS Certificate Transparency Opt Out Guide

DigiCert User Guide (GÉANT)

DigiCert User Guide. Version 6.4

DigiCert User Guide (GÉANT)

H O W T O I N S T A L L A N S S L C E R T I F I C A T E V I A C P A N E L

THE BUSINESS VALUE OF EXTENDED VALIDATION

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Orbital provide a secure (SSL) Mailserver to protect your privacy and accounts.

VSP16. Venafi Security Professional 16 Course 04 April 2016

DigiCert Certified Partner Program. Delivering Confidence for Customers and Consumers by Securing Websites and Applications

Wavecrest Certificate SHA-512

VSP18 Venafi Security Professional

But where'd that extra "s" come from, and what does it mean?

Generating Certificate Signing Requests

Oracle Eloqua Legacy Authenticated Microsites and Contact Users. Configuration Guide

How to Import a Certificate When Using Microsoft Windows OS

Installing an SSL certificate on your server

Blue Coat Security First Steps Solution for Controlling HTTPS

Streamline Certificate Request Processes. Certificate Enrollment

Fasthosts Customer Support Generating Certificate Signing Requests

Configuring the Cisco APIC-EM Settings

Legal Notice: COPYRIGHT: Copyright 2012 Hitman Advertising, all rights reserved. LIMITS OF LIABILITY / DISCLAIMER OF WARRANTY:

DigiCert Products. SSL Certificates

SAML Admin Guide. Version 1.0

vcenter Support Assistant User's Guide

SharePoint SITE OWNER TRAINING

Digital Signage at Montgomery College Step-by Step Instructions for Content Contributors

Security Best Practices. For DNN Websites

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Browser Support Internet Explorer

Getting Microsoft Outlook and Salesforce in Sync

Best Practices for Security Certificates w/ Connect

IceWarp SSL Certificate Process

Sync to a Secondary Salesforce Organization

Equitrac Integrated for Konica Minolta

Reference :: Tips :: Steps :: Questions :: How do I? Quick Reference Guide

CA/B Forum and Industry Update. Dean Coclin Sr. Director of Business Development Chair CA/B Forum

Recipes. Marketing For Bloggers. List Building, Traffic, Money & More. A Free Guide by The Social Ms Page! 1 of! 24

Club Leader Access to 4-H Online

Making Security Agile

10 TESTED LANDING PAGE ELEMENTS GUARANTEED TO IMPROVE CONVERSIONS

Amazon WorkMail. User Guide Version 1.0

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

B. Log into the Suncor Contractor Learning Management System

In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements

emeasures 2.0 USERS MANUAL

PROVING WHO YOU ARE TLS & THE PKI

IBM. Security Digital Certificate Manager. IBM i 7.1

THE COMPLETE VIEWER FOR MS PROJECT. Seavus Add-in for MS Project - Users Manual

WORKING IN TEAMS WITH CASECOMPLETE AND THE CASECOMPLETE PROJECT SHARING ADDIN. Contents

Installation Instructions for SAS Activity-Based Management 6.2

LEGISLATIVE BUDGET BOARD. ABEST Instructions for Base Reconciliation Biennium

vcenter Support Assistant User's Guide

VMware AirWatch Integration with SecureAuth PKI Guide

WORKING IN TEAMS WITH CASECOMPLETE AND SUBVERSION. Contents

Pulse Secure Client for Chrome OS

SchoolMessenger App. Parent and Student User Guide - Website. West Corporation. 100 Enterprise Way, Suite A-300. Scotts Valley, CA

Miracle Service Meter Center Guide. Last revised: December 17, 2013

Ivanti Patch for SCCM (Formerly Shavlik Patch) Version History

Salesforce ldeas Implementation Guide

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

Cloud SSL Certificate Services

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Browser-Related Issues Clearing Cookies and Cache

Join an OmniJoin Meeting as an Attendee (Mac and PC)

owncloud Android App Manual

IHS Enerdeq Browser Getting Started

Internet Explorer/ Edge/ Chrome/ Opera (Windows) Edition

Chatter Answers Implementation Guide

Entrust. Discovery 2.4. Administration Guide. Document issue: 3.0. Date of issue: June 2014

CONVERSION TRACKING PIXEL GUIDE

Installation Manual on Intra SSL Service (PC Check)

Create quick link URLs for a candidate merge Turn off external ID links in candidate profiles... 4

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

COMODO CA SSL CERTIFICATES

SAPO Trust Centre: Certificate Installation on Exchange Manual

Security Digital Certificate Manager

COMODO CA SSL CERTIFICATES

Kickstarter Privacy Policy - February 2017 changes

Learning Center Computer and Security Settings

Entrust Cloud Enterprise. Enrollment Guide

Help Sales Reps Sync Contacts and Events with Lightning Sync

VMware AirWatch Integration with RSA PKI Guide

Flex Tenancy :48:27 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Troubleshooting. Participants List Displays Multiple Entries for the Same User

License Management and Support Guide

Introduction Secure Message Center (Webmail, Mobile & Visually Impaired) Webmail... 2 Mobile & Tablet... 4 Visually Impaired...

Configuring Internet Explorer for CareLogic

LeakDAS Version 4 The Complete Guide

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

FAQ. General Information: Online Support:

Web Servers and Security

LEADS. The Leads Overview Screen explained:

Publisher Onboarding Kit

Comodo Certificate Manager

High Level View of Certificates and Authorities in CUCM

Deliverable D8.4 Certificate Transparency Log v2.0 Production Service

Advertising Campaign Conventions & Best Practices

Transcription:

CertCentral Public SSL/TLS Certificate CT Logging Guide Version 1.2

Table of Contents 1 Logging Public SSL/TLS Certificates to Public CT Logs... 3 1.1 Will DigiCert Log All Certificates to Public CT Logs?... 3 1.2 When and When Not to Log Public SSL/TLS Certificates... 4 1.3 Keeping SSL/TLS Certificates Out of Public CT Logs... 4 1.4 Methods for Keeping SSL/TLS Certificates Out of CT Logs... 5 1.5 How to Allow Users to Keep Certificates Out of CT Logs... 5 1.5.1 CT Logging Certificate Detail Added... 6 1.5.2 How to Enable the CT Log Exclusion Feature for Your Account... 6 1.5.3 How to See If a Certificate Was Logged to CT Logs... 9 1.6 How to Turn Off CT Logging for Your Account... 10 1.7 How to See If CT Logging Is Disabled for Your Account... 11 1.8 How to Add an Unlogged SSL/TLS Certificate to Public CT Logs... 12 About DigiCert...13 Page 2 of 13

1 Logging Public SSL/TLS Certificates to Public CT Logs As of February 1, 2018, DigiCert logs all newly issued public SSL/TLS certificates to public Certificate Transparency (CT) logs by default. This does not affect any OV certificates issued before February 1, 2018. Note that CT logging has been required for EV SSL Certificates since 2015. DigiCert advocates CT logging because: It improves security across the web by providing early detection of misissued certificates. It checks the integrity of Certificate Authority (CA) practices. Most importantly, it provides you with a way to monitor all certificates issued for their domains, adding another layer of protection for your domains and customers. References: - DigiCert First CA Compatible with Google CT - Google CT to Expand to All Public SSL/TLS Certificates - Feb 1, DigiCert Logs All Public SSL/TLS Certificates to Public CT Logs 1.1 Will DigiCert Log All Certificates to Public CT Logs? Since June 2015, DigiCert has been logging all EV SSL and EV Multi-Domain SSL Certificates to public CT logs. Starting February 1, 2018, DigiCert will log all public SSL/TLS certificates to CT logs. This includes the following certificate types: Standard SSL Multi-Domain SSL Wildcard SSL Extended Validation SSL EV Multi-Domain SSL Grid Host SSL Grid Host Multi-Domain SSL The CT logging expansion doesn t affect your private SSL/TLS certificates. DigiCert will not log the following types of certificate to CT logs: Private SSL Private Multi-Domain SSL Private SSL Wildcard Client Code Signing EV Code Signing Page 3 of 13

Document Signing 1.2 When and When Not to Log Public SSL/TLS Certificates Before you decide whether to log a certificate to CT logs, it is important to understand that in the vast majority of situations, logging your certificates in public CT logs is the correct option. However, we know that you may have internal domains you don t want made public in CT logs. These domains can be excluded from CT logs. Below is some information to help you make the right CT logging choice. 1. When should I log my public SSL/TLS certificate? If the certificate is protecting a public website, you should always log it in public CT logs. o The certificate information is already publicly available. A visitor to your site can click the lock icon to see certificate details; the same information available in public CT logs. o There is no benefit in not logging the certificate, just a downside individuals using Google Chrome to visit your site will see an untrusted warning and probably go somewhere else. 2. When should I keep my SSL/TLS certificate information private? If the certificate is protecting an internal or private site and you have organization and domain names that need to be kept private for branding privacy or network security reasons, you are probably okay not logging the certificate. The downside is that visitors using Google Chrome to visit your site will see an untrusted warning. So, make sure you: o Really need to keep organization and domain names private. o Are prepared to manage the users who visit this site and get an untrusted warning. 1.3 Keeping SSL/TLS Certificates Out of Public CT Logs We understand that you may want to keep specific public SSL/TLS certificates out of the CT logs. However, before you begin excluding certificates from the CT logs, make sure you understand the consequences of unlogged SSL/TLS certificates. Page 4 of 13

Page 5 of 13 What Happens When You Don t Log SSL/TLS Certificates Browsers with CT requirement policies will show an untrusted warning or a reduced security indicator on sites with unlogged SSL/TLS certificates. For public-facing sites, customers may be discouraged from using your site, causing losses in business, customer trust, and revenue. For internal-facing sites, people who come to your site may be scared off. Currently, Google Chrome is the only browser planning to show warnings on sites with unlogged certificates issued after April 1, 2018. Although, other browsers will likely follow. See Google CT to Expand to All Certificates Types. Remove Untrusted Warning To remove this untrusted warning from an unlogged certificate, you must do the following: Reissue the certificate and allow us to log it. Replace the original certificate with the reissued, CT logged certificate. 1.4 Methods for Keeping SSL/TLS Certificates Out of CT Logs We ve provided two methods to keep SSL/TLS certificates out of these logs: Per Certificate Order: Exclude from CT Log When Ordering a Certificate (Recommended) This method is ideal if you only have a minimal number of certificates you don t want logged. In your DigiCert account, you can activate a feature that allows individuals to exclude an SSL/TLS certificate from CT logs on a per certificate basis. See How to Allow Users to Keep Certificates Out of CT Logs. Per Account: Turn Off CT Logging for an Account (Use with Caution) This method is ideal if you need to keep organization and domain information private within an entire account. To turn CT logging off for your DigiCert account, see How to Turn Off CT Logging for Your Account. 1.5 How to Allow Users to Keep Certificates Out of CT Logs For your account, you can activate a feature that allows users to keep an SSL/TLS certificate from being logged to public CT logs. The feature is available when a user orders a new certificate, reissues a certificate, and renews a certificate.

Before you allow users to keep SSL/TLS certificates out of public CT logs when ordering certificates, make sure they understand the benefits of CT logging and understand the consequences of keeping SSL/TLS certificates out of these logs. See Keeping SSL/TLS Certificates Out of Public CT Logs and When and When Not to Log Public SSL/TLS Certificates. 1.5.1 CT Logging Certificate Detail Added Because we are logging all SSL/TLS certificates to public CT logs by default, we are adding a new certificate detail to let users know that a certificate has been logged. To see a certificate s details, go to the Orders page (Certificates > Orders), locate the certificate, and click the certificate s Quick View link. See How to See If a Certificate Was Logged to CT Logs. Note: If you don t enable the CT log exclusion feature for your account, you will never see information about an SSL/TLS certificate not being logged. Note that this applies only to certificates issued as of February 1, 2018. 1.5.2 How to Enable the CT Log Exclusion Feature for Your Account Use these instructions to activate a feature that allows users to keep SSL/TLS certificates out of public CT logs when ordering certificates (new, reissues, and renewals). 1. In your CertCentral account, in the sidebar menu, click Settings > Preferences. Page 6 of 13

2. On the Division Preferences page, scroll down and click +Advanced Settings. 3. In the Certificate Request section, under CT Logging, check Allow users to change CT logging per request. Note: Before you save your changes, make sure you understand the consequences of keeping certificates out of the CT logs. 4. Click Save Settings. 5. Congratulations! When ordering a certificate (new, reissue, and renewal orders), account users will see an option under Additional Certificate Options that allows them to keep an SSL/TLS certificate out of public CT logs. Note: Make sure those who can order certificates understand the consequences of keeping certificates out of the CT logs. Page 7 of 13

6. In addition, before someone approves an SSL/TLS certificate request, they can see (and make the final decision on) whether the certificate will be logged to CT logs. a. Logged to CT Logs b. Not Logged to CT Logs Page 8 of 13

1.5.3 How to See If a Certificate Was Logged to CT Logs Use these instructions to find out if a certificate has been logged to public CT logs. This certificate detail only appears if you ve enabled the account feature that lets users opt out of logging certificates to CT logs. 1. In your CertCentral account, in the sidebar menu, click Certificates > Orders. 2. On the Orders page, find the certificate with the CT logging details you need to check. 3. Next to the certificate s Order #, click the Quick View link for the certificate you want CT log details about. 4. In the Order # details pane (on the right), in the Certificate Details section, under CT logging, you will see one of the following messages: Page 9 of 13

Logged to CT Logs Not Logged to CT Logs 1.6 How to Turn Off CT Logging for Your Account Before you ask us to turn off CT logging for your account, make sure you understand the importance of logging SSL/TLS certificates to public CT logs and the consequences of keeping certificates out of these logs. See Keeping SSL/TLS Certificates Out of Public CT Logs. Ideally, you should dedicate an entire account to ordering certificates you want kept out of public CT logs. You can then use multiple accounts to manage logged and not logged SSL/TLS certificates. We don t recommend doing this if you only have a single account. This set up doesn t provide a good workflow for issuing a certificate to CT logs when the time comes. Caution: If CT logging is turned off for your only account, the only way to log an SSL/TLS certificate into the CT logs is to contact your Sales/Account representative and have them turn CT logging back on for your account. Only then can you reissue/renew the certificate, allow it to be logged to public CT logs, and then install it. To turn CT logging off for your account, contact your Sales/Account representative. Page 10 of 13

1.7 How to See If CT Logging Is Disabled for Your Account 1. In your CertCentral account, in the sidebar menu, click Settings > Preferences. 2. On the Division Preferences page, scroll down and click +Advanced Settings. 3. In the Certificate Request section, look under CT Logging. a. If CT logging was turned off for your account, you see the Per request, CT logging was turned off for your account message. Page 11 of 13

b. If CT logging is turned on for your account, you see Allow users to change CT logging per request. 1.8 How to Add an Unlogged SSL/TLS Certificate to Public CT Logs Once a certificate is published to public CT logs, you can t remove it from the logs. However, if you chose to keep a certificate out of public CT logs and then discover that you need it logged, you can fix the situation. To get an unlogged public SSL/TLS certificate into public CT logs, reissue the certificate and uncheck the Don t log this certificate to public CT logs check box so we can log it. After we reissue the certificate, the resulting reissued certificate will be logged in CT logs. The browser warnings will go away once the CT-logged certificate has been installed. Changes to Reissued Certificates Don t Affected Previously Issued Certificates (Original and Reissues) When you reissue a certificate, any changes that you make to the reissued certificate don t affect the original certificate (or previously reissued certificates). Changes only affect that reissued certificate and all reissued certificates going forward. For example, if you order an SSL/TLS certificate and you choose to keep it out of public CT logs, the original certificate will never be logged to CT logs. However, if you reissue the certificate and allow it to be logged the reissued certificate will be logged to CT logs. Additionally, all reissued certificates going forward will be logged to CT logs, unless you specifically choose to have that reissued certificate kept out. Note: To get a duplicate certificate with a different CT logging setting, reissue the certificate and change the CT logging setting on the reissue certificate form. Page 12 of 13

About DigiCert DigiCert is a premier provider of security solutions and certificate management tools. We have earned our reputation as the security industry leader by building innovative solutions for SSL Certificate management and emerging markets. DIGICERT 2801 NORTH THANKSGIVING WAY STE. 500 LEHI, UTAH 84043 PHONE: 801.701.9690 2018 DigiCert, Inc. All rights reserved. DigiCert is a registered trademark of DigiCert, Inc. in the USA and elsewhere. All other trademarks and registered trademarks are the property of their respective owners. Page 13 of 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback