Resources for site owners

How can I tell if my server is responding with Certificate Transparency information?

One easy method is to visit your site in Chrome and then click on the green padlock, "Connection" tab and then look for text indicating whether the site is "publicly auditable".  If you see text showing that the site is, that means that your server is returning SCT responses to Chrome.  On some platforms Chrome will additionally display a link to view "Transparency Information".

Screenshot of Chrome origin information bubble


How can I return Certificate Transparency information in my server response?

The Certificate Transparency RFC states that all TLS clients must support the following three mechanisms for including the SCT in the TLS handshake:
  • X509v3 Extension
  • TLS Extension
  • OCSP Stapling
As such servers can use any one of these mechanisms to return Certificate Transparency information to clients.

If your CA is already issuing certificates with embedded SCTs (via the X509v3 Extension) this may be an easy way to get started, simply deploy a new certificate issued with embedded SCTs and no changes should be required.

We do however still recommend use of either OCSP Stapling (if your CA supports it, and your CA supports including SCTs in the OCSP response) and/or the TLS Extension as both of these mechanisms allow for SCTs from new logs to be added/substituted over time without the need for you to reissue your certificates.

At this time we are aware of support for the TLS extension in the following web servers:

Subpages (3): Apache haproxy nginx
ą
eijdenberg@google.com,
May 14, 2015, 10:19 AM
Comments