When and when not to log public TLS/SSL certificates
Before you decide whether to log a certificate in to CT logs, it is important to understand that, in the vast majority of situations, logging your certificates in public CT logs is the correct option.
However, we know that you may have internal domains you don’t want to be made public in CT logs. These domains can be excluded from CT logs. Below is some information to help you make the right CT logging choice.
When should I log my public TLS/SSL certificate?
If the certificate is protecting a public website, you should always log it in public CT logs.
Your certificate information is already publicly available. A visitor to your site can click the lock icon in their browser to see certificate details, which is the same information available in public CT logs.
There is no benefit in not logging the certificate, only downsides. Browsers (such as Chrome, Safari, and other browsers) now require CT logging, and publicly trusted certificates which are not logged will issue an untrusted warning. This breaks the user's connection to your site and makes your site effectively unusable.
When should I keep my TLS/SSL certificate information private?
If the certificate is protecting an internal or private site, and you have organization and domain names that need to be kept private for branding, privacy, or network security reasons, you can choose to not log the certificate.
The downside is that most browsers have CT logging requirements (e.g., Chrome, Safari, etc.) and anyone connecting to your site will see an untrusted warning. So, make sure you:
Really need to keep organization and domain names private.
Are prepared to manage the users who visit this site and get an untrusted warning.