Keeping TLS/SSL certificates out of public CT logs
We understand that you may want to keep specific public TLS/SSL certificates out of CT logs. However, before you begin excluding certificates from them, make sure you understand the consequences of unlogged TLS/SSL certificates.
What happens when you don’t log TLS/SSL certificates
Browsers with CT requirement policies will show an untrusted warning or a reduced security indicator on sites with unlogged certificates.
For public-facing sites, customers may be discouraged from using your site, causing losses in business, customer trust, and revenue.
For internal-facing sites, people who come to your site may be scared off.
Google Chrome was the first browser to show warnings on sites with unlogged certificates issued after April 1, 2018. See Google CT to Expand to All Certificates Types.
Other browsers have begun to follow suit. Apple began showing a warning on sites with unlogged certificates issued after October 15, 2018. See Apple Announces Certificate Transparency Requirement.
Remove untrusted warning
To remove this untrusted warning from an unlogged certificate, you must do the following:
Reissue the certificate and allow us to log it.
Replace the original certificate with the reissued, CT-logged certificate.