Monday, March 19, 2018

Can Certificate Transparency affect your Active Directory CA?

Certificate Transparency
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.

I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.

Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA.  Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.

CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.

No comments:

Post a Comment