Lines Matching full:certificate

1 # Certificate Transparency
7 Certificate Transparency (CT) is a protocol designed to fix several structural
8 flaws in the SSL/TLS certificate ecosystem. Described in
11 [certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs).
14 detect when a certificate has been issued for their domains, allowing them to
19 For more information about how Certificate Transparency works, see:
20   * https://www.certificate-transparency.org
21 …* [Introducing Certificate Transparency and Nimbus](https://blog.cloudflare.com/introducing-certif…
23 ## Certificate Transparency for Site Operators
27 We say that a certificate supports Certificate Transparency if it comes with
30 [Certificate Transparency in Chrome](https://github.com/chromium/ct-policy/blob/master/ct_policy.md)
31 policy. We sometimes refer to a site that "supports" CT as using a certificate
35 support Certificate Transparency. This is because RFC 6962 defines three ways
36 of providing the necessary information for CT: within the certificate, within
38 supports CT through the first method, meaning that when you get a certificate,
43 Supporting CT within the certificate itself is the preferred and recommended
44 way to enable CT support. If you obtain a certificate from your CA and it does
62 expire before the certificate expires. If your CA also supports delivering CT
64 fresh CT information to be provided without having to replace the certificate.
66 not support CT in their OCSP responses, you may need to replace your certificate.
71 [Certificate Transparency for Enterprises](#Certificate-Transparency-For-Enterprises).
75 Chrome has gradually required Certificate Transparency for more and more
80 Certificate Transparency. Certificates that were not properly disclosed would
84 * [Since 1 June 2016](https://security.googleblog.com/2015/10/sustaining-digital-certificate-securi…
86 certificates owned by Symantec Corporation are disclosed via Certificate
91 the certificate be disclosed via Certificate
93 If a certificate is issued after this date and neither the certificate nor
96 see a full page certificate warning page, with the error code
98 indicates that your CA has not taken steps to make sure your certificate
100 you can get a replacement certificate that works.
104 Supporting CT by disclosing the certificate to a CT Log means that the full
105 contents of the certificate will be publicly accessible and viewable. In
106 particular, this means that the domains a certificate are for will be included
107 in the Certificate Transparency log, as well as the organization they are
115 Certificate Transparency provides an interoperable protocol for exchanging
116 these datasets, in many cases, the certificate details and domains were already
119 Requiring that the full certificate be disclosed if it was issued by a
120 publicly-trusted CA is an important part of the security goals of Certificate
123 certificates that could be used to compromise users. Certificate Transparency
130 of Certificate Transparency, none of them were able to balance the needs of
139 1. **Wildcard Certificates** - Wildcard certificates allow a single certificate
147    requires the certificate be disclosed, but can limit how much of the domain
153    [Certificate Transparency for Enterprises](#Certificate-Transparency-For-Enterprises).
155    certificate, but these certificates will **only** be trusted by their
158 ### What to do if your certificate does not work
161 30 April 2018 are expected to be disclosed via Certificate Transparency in a
162 way that is compliant with the Certificate Transparency in Chrome policy.
168 However, there's still a chance that a CA may not have adopted Certificate
176 certificate with a new one that properly supports CT.
178 ## Certificate Transparency for Enterprises
182 Certificate Transparency only applies to CAs that are publicly-trusted - that
188 Certificate Transparency. Further, Certificate Transparency Logs will not
196 [Enterprise Policies](#Enterprise-Policies) to configure how Certificate
208 …use a private CA, which [several](https://aws.amazon.com/certificate-manager/private-certificate-a…
209 …ate-pki/) [offer](https://www.comodo.com/business-security/pki-management/certificate-manager.php).
211 change in the TLS ecosystem, such as changes to certificate algorithms or
215 certificate. This will prevent this certificate from being trusted by default,
223 [Active Directory Certificate Services](https://msdn.microsoft.com/en-us/library/ff630887.aspx).
225 offers an alternative solution to partnering with a certificate provider.
229 Some Enterprises rely on Certificate Authorities that have not been audited to
235 requirement to disclose new certificates via Certificate Transparency has been
244 requires the Enterprise constantly keep track of changes regarding Certificate
257 their machines or users to disable Certificate Transparency for certain cases.
265 has been available since Chrome 53, and allows for disabling Certificate
267 disabling Certificate Transparency altogether.
281 available since Chrome 57, allows for disabling Certificate Transparency
282 enforcement if certain conditions are met in the trusted certificate chain.
296 To disable Certificate Transparency for these certificates, the certificate
299 1. The hash specified is of the server certificate's subjectPublicKeyInfo.
305    certificate's has the same number of organizationName attributes, with
311 available since Chrome 67, allows for disabling Certificate Transparency
332 ## Certificate Transparency for Chrome/Chromium developers
336 Support for Certificate Transparency in //net is made up of two core
340   CT information (SCTs) from the certificate, the OCSP response, and the
342   CT logs, and validating that the SCTs match the certificate provided.
356 ### Supporting Certificate Transparency for Embedders
358 While Chromium has implemented support for Certificate Transparency for a
365 Certificate Transparency, by enforcing that newly-issued certificates are