When and When Not to Log Public SSL/TLS Certificates

Before you decide whether to log a certificate to CT logs, it is important to understand that in the vast majority of situations, logging your certificates in public CT logs is the correct option.

However, we know that you may have internal domains you don’t want made public in CT logs. These domains can be excluded from CT logs. Below is some information to help you make the right CT logging choice.

When should I log my public SSL/TLS certificate?

If the certificate is protecting a public website, you should always log it in public CT logs.

  • Your certificate information is already publicly available. A visitor to your site can click the lock icon in their browser to see certificate details; the same information available in public CT logs.
  • There is no benefit in not logging the certificate, only downsides – browsers now require CT logging (Chrome, Safari, and other browsers), and publicly-trusted certificates which are not logged will cause an untrusted warning. This breaks the user's connection to your site and makes your site effectively unusable.

When should I keep my SSL/TLS certificate information private?

If the certificate is protecting an internal or private site and you have organization and domain names that need to be kept private for branding, privacy, or network security reasons, you can choose not to log the certificate.

The downside is that most browsers have CT logging requirements (e.g., Chrome, Safari, etc.) and anyone connecting to your site will see an untrusted warning. So, make sure you:

  • Really need to keep organization and domain names private.
  • Are prepared to manage the users who visit this site and get an untrusted warning.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.