Skip to main content

DigiCert: Logging all public trust TLS/SSL certificates to CT logs

As of June 1, 2026, DigiCert logs all public trust TLS certificates, including canary and test certificates, to at least one certificate transparency (CT) log. Opting out of CT logging is no longer available for public trust TLS certificates.

Learn more about this change.

CT logging enforcement affects all DigiCert public trust TLS certificates, including:

  • Domain Validation (DV)

  • Organization Validation (OV)

  • Extended Validation (EV)

  • EU Qualified Website Authentication Certificate (QWAC)

  • EU QWAC PSD2

This change also applies to public trust TLS certificates issued under all DigiCert brands, including DigiCert®, GeoTrust®, Thawte®, RapidSSL®, and Encryption Everywhere®.

Why is DigiCert doing this?

The Google Chrome Root Program Policy now requires certificate authorities (CAs) to log all TLS precertificates and final certificates to at least one CT log. CT logs promote greater TLS certificate transparency and further enhance internet security.

Learn more about the Google Chrome Root Program Policy.

Benefits of certificate transparency logs

CT logs strengthen the TLS/SSL certificate ecosystem by creating publicly auditable records of certificate issuance by all webPKI CAs.

Learn more about certificate transparency.

Check whether a TLS certificate was logged to CT logs

To check the CT logging status for a TLS certificate in CertCentral:

  1. In CertCentral, in the left menu, go to Certificates > Orders.

  2. On the Orders page, select the order number link for the TLS certificate.

  3. On the Order # details page, on the Details tab, under Certificate information, expand Additional certificate information.

  4. Under CT logging, verify the status shows Logged to public CT Logs.

What if I don't want my TLS certificates in CT logs?

If your TLS certificates require public trust, they must be issued from a publicly trusted root hierarchy and logged to CT logs. Public trust TLS certificates can’t be excluded from CT logging.

If your TLS certificates don’t require public trust, you can use a private PKI hierarchy to keep those certificates out of public CT logs. Private PKI hierarchies aren’t subject to Chrome’s CT logging requirements because they don’t require public browser trust.

  • X9 PKI for TLS certificates: Use DigiCert's X9 PKI for TLS certificates to secure communications involving multiple organizations. Learn more about X9 PKI and schedule a consultation.

  • Private PKI as a service: Use DigiCert Private PKI for business needs that are strictly internal. DigiCert can configure and operate a private PKI for your organization, applying our operational expertise and security investments. Learn more.

Our team is available to discuss your specific requirements and help you design the right PKI architecture for your needs. Contact your account manager or DigiCert Support with questions or concerns.

In this section: