Keeping SSL/TLS Certificates Out of Public CT Logs

We understand that you may want to keep specific public SSL/TLS certificates out of CT logs. However, before you begin excluding certificates from them, make sure you understand the consequences of unlogged SSL/TLS certificates.

What Happens When You Don’t Log SSL/TLS Certificates

Browsers with CT requirement policies will show an untrusted warning or a reduced security indicator on sites with unlogged SSL/TLS certificates.

  • For public-facing sites, customers may be discouraged from using your site, causing losses in business, customer trust, and revenue.
  • For internal-facing sites, people who come to your site may be scared off.

Google Chrome was the first browser to show warnings on sites with unlogged certificates issued after April 1, 2018. See Google CT to Expand to All Certificates Types.

Other browsers have begun to follow suit. Apple will show warning on sites with unlogged certificates issued after October 15, 2018. See Apple Announces Certificate Transparency Requirement.

Remove Untrusted Warning

To remove this untrusted warning from an unlogged certificate, you must do the following:

  • Reissue the certificate and allow us to log it.
  • Replace the original certificate with the reissued, CT-logged certificate.