Resources for site owners

How can I tell if my server is responding with Certificate Transparency information?

See Certificate Transparency in Chrome for instructions on how to use Google Chrome to check this.

How can I return Certificate Transparency information in my server response?

The Certificate Transparency RFC states that all TLS clients must support the following three mechanisms for including the SCT in the TLS handshake:
  • X509v3 Extension
  • TLS Extension
  • OCSP Stapling
As such servers can use any one of these mechanisms to return Certificate Transparency information to clients.

If your CA is already issuing certificates with embedded SCTs (via the X509v3 Extension) this may be an easy way to get started, simply deploy a new certificate issued with embedded SCTs and no changes should be required.

We do however still recommend use of either OCSP Stapling (if your CA supports it, and your CA supports including SCTs in the OCSP response) and/or the TLS Extension as both of these mechanisms allow for SCTs from new logs to be added/substituted over time without the need for you to reissue your certificates.

At this time we are aware of support for the TLS extension in the following web servers:

Subpages (3): Apache haproxy nginx
May 14, 2015, 10:19 AM