When and When Not to Log Public SSL/TLS Certificates

Before you decide whether to log a certificate to CT logs, it is important to understand that in the vast majority of situations, logging your certificates in public CT logs is the correct option.

However, we know that you may have internal domains you don’t want made public in CT logs. These domains can be excluded from CT logs. Below is some information to help you make the right CT logging choice.

When should I log my public SSL/TLS certificate?

If the certificate is protecting a public website, you should always log it in public CT logs.

  • Your certificate information is already publicly available. A visitor to your site can click the lock icon in their browser to see certificate details; the same information available in public CT logs.
  • There is no benefit in not logging the certificate, only downsides – browsers now require CT logging (Chrome, Safari, and other browsers), and publicly-trusted certificates which are not logged will cause an untrusted warning. This breaks the user's connection to your site and makes your site effectively unusable.

When should I keep my SSL/TLS certificate information private?

If the certificate is protecting an internal or private site and you have organization and domain names that need to be kept private for branding, privacy, or network security reasons, you can choose not to log the certificate.

The downside is that most browsers have CT logging requirements (e.g., Chrome, Safari, etc.) and anyone connecting to your site will see an untrusted warning. So, make sure you:

  • Really need to keep organization and domain names private.
  • Are prepared to manage the users who visit this site and get an untrusted warning.