Certificate Transparency in Chrome

This page describes how to observe Chrome's CT state for a secure site.
This feature is available since Chrome 33 (the strings will have changed in Chrome 44).

Basic UI indicator

This information is present in the Connection information pop-up in Chrome. Click the padlock:

Then navigate to the Connection Information tab:

The Certificate Transparency status is now a part of the website identity string. For example, when a valid Signed Certificate Timestamp accompanies the certificate, the string would read like so:

One of four strings will be displayed:
  • The identity of this website has been verified by ISSUER but does not have public audit records. - When no Signed Certificate Timestamps are present.
  • The identity of this website has been verified by ISSUER and is publicly auditable. - When a valid, verified Signed Certificate Timestamp is present.
  • The identity of this website has been verified by ISSUER, it claims to have public audit records, but the records cannot be verified. - When a Signed Certificate Timestamp from an unknown log is present.
  • The identity of this website has been verified by ISSUER, but its public audit records failed verification. - When a Signed Certificate Timestamp from a known log is present but failed to validate.

Detailed Signed Certificate Timestamp information

The exact Signed Certificate Timestamps Chrome sees and their validation status is available through Chrome's NetLog, accessible via chrome://net-internals.
The chrome NetLog should be opened before visiting a website. Then switch to the Events view from the drop-down and look for a 'SOCKET' event type.
Past the certificate chain, the SCTs received, their origin and validation status will show:

Specifying a custom CT log
By default, Chrome will check SCTs coming from a list of predefined CT logs recognized by Chrome. The next step is only necessary if you wish to get Chrome to check an SCT issued by your own log. If so, launch the binary with the following command:

./chrome --certificate-transparency-log="Google_Pilot_Log:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==:ct.googleapis.com/pilot"  --user-data-dir="/tmp/chromeprofile"
The flag format is described in this page.

Signed Certificate Timestamps viewer OBSOLETE

Note: The SCT Viewer has been removed from Chromium since it was missing from the Mac version of Chrome and there were no immediate plans to amend it (announcement).
The information below is for historical reasons only.

In addition to the basic UI indicator, it is possible to view details about each Signed Certificate Timestamp.
When Signed Certificate Timestamps are present, the "Transparency information" link (which can be seen on the screenshot above) will pop up a dialog showing details about the Signed Certificate Timestamps:

This viewer is available in Chrome for Windows or Linux since release 35.