Exclude certificates from CT logs
Configure CertCentral to allow users to exclude eligible TLS/SSL certificates from CT logs during ordering, renewal, or reissue.
Before you begin
Before excluding certificates from CT logs, review the consequences of unlogged certificates.
Consequences of unlogged certificates
Browsers with CT requirement policies show an untrusted warning or a reduced security indicator on sites with unlogged certificates.
For public-facing sites, customers may be discouraged from using the site, which can cause losses in business, customer trust, and revenue.
For internal-facing sites, visitors to the site may be deterred by the warning.
Chrome and Safari display warnings on sites with unlogged certificates.
As a best practice, log certificates that protect public-facing sites. Exclude certificates from CT logs only for internal or private sites where organization and domain names must remain confidential, and only when prepared to manage visitors who encounter the untrusted warning.
Resolve an untrusted warning
To remove an untrusted warning from an unlogged certificate, reissue the certificate with CT logging enabled, then replace the original certificate with the reissued, CT-logged certificate.
Enable per-request CT log exclusion
In the CertCentral main menu, go to Settings > Preferences.
Expand Advanced settings.
In Certificate requests, under CT logging, select Allow users to change CT logging per request.
Select Save settings.
After you enable this setting, users choose whether to log eligible certificates to CT logs when requesting, renewing, or reissuing them.