We wanted to pass on an important notification that we recently received from GlobalSign regarding Certificate Transparency requirements that will be changing no later than December 31st.
“In order to improve the security of Extended Validation (EV) SSL
Certificates, Google Chrome intends to require Certificate Transparency
(CT) for all EV SSL Certificates issued after December 31, 2014.
Certificates not enabled for CT will no longer display the green address
bar in Chrome starting in February 2015.
To support this initiative and to ensure the best browsing experience
for your customers, GlobalSign will be posting all previously issued
publicly visible EV SSL Certificates to qualified CT logs during
December 2014 in order to have them added to the Google CT whitelist.
Starting no later than December 31, 2014, all GlobalSign EV SSL
Certificates will be published to CT logs during issuance. Publishing EV
SSL Certificates to the CT logs and including Signed Certificate
Timestamps (SCTs) in them will ensure that your customers websites will
continue to display the green address bar in Chrome.
For further details and upcoming dates, please see the information
below.
What is Certificate Transparency?
Certificate Transparency (CT) project provides an open framework for
monitoring and auditing SSL Certificate issuance based on Certificate
Authorities posting SSL Certificates to publicly accessible Qualified
Certificate Transparency Logs. These logs can be monitored by
enterprises to track the issuance of certificates for their domains
and to allow for corrective action to be taken should
mis-issuance be detected.
The official Certificate Transparency Project describes the 3 main goals:
http://www.certificate-transparency.org/
- To make it impossible (or at least very difficult) for a CA to issue an
SSL Certificate for a domain without the certificate being visible to
the owner of that domain. - To provide an open auditing and monitoring system that lets any domain
owner or CA determine whether certificates have been mistakenly or
maliciously issued. - To protect users from being duped by certificates that were mistakenly
or maliciously issued.
Google’s CT Roadmap for EV SSL
In order to improve the security of EV SSL Certificates, Google Chrome
is requiring Certificate Transparency (CT) for all EV SSL Certificates
issued after December 31, 2014. Google’s schedule for enforcing CT is as
follows:
By January 1, 2015, all previously issued EV SSL Certificates with
validity beyond February 2015 must be submitted to a CT Log so they can
be included in the Google whitelist.
By January 1, 2015 the issuance of new (including re-issued) EV
certificates must have Signed Certificate Timestamps (SCTs) included, or
they will not receive the traditional Green bar EV treatment by Chrome.
Beginning in February 2015, both Chrome desktop and mobile versions will
not display the prominent Green Bar associated with EV SSL Certificates
if it is not on the whitelist or if it does not have SCTs in the
certificate.
Changes for GlobalSign Customers
No later than December 31, 2014: GlobalSign will be posting all publicly
visible EV SSL Certificates to at least one qualified CT log in order to
have them added to the Google CT whitelist. Internally accessible EV
SSL Certificates can be reissued after December 31, 2014 if they need to
receive the Chrome EV treatment.
Starting no later than December 31, 2014: All EV SSL Certificates will
be published to CT logs during issuance and will include SCTs.
If you have any questions, please do not hesitate to contact us.
The GlobalSign Support Team
US: 1-603-570-7060 | UK: +44 1622 766 766 | EU : +32 16 89 1900