When and When Not to Log Public SSL/TLS Certificates

Before you decide whether to log a certificate to CT logs, it is important to understand that in the vast majority of situations, logging your certificates in public CT logs is the correct option.

However, we know that you may have internal domains you don’t want made public in CT logs. These domains can be excluded from CT logs. Below is some information to help you make the right CT logging choice.

When should I log my public SSL/TLS certificate?

If the certificate is protecting a public website, you should always log it in public CT logs.

  • Your certificate information is already publicly available. A visitor to your site can click the lock icon in their browser to see certificate details; the same information available in public CT logs.
  • There is no benefit in not logging the certificate, only downsides – browsers now require CT logging (Chrome, Safari, and other browsers), and publicly-trusted certificates which are not logged will cause an untrusted warning. This breaks the user's connection to your site and makes your site effectively unusable.

When should I keep my SSL/TLS certificate information private?

If the certificate is protecting an internal or private site and you have organization and domain names that need to be kept private for branding, privacy, or network security reasons, you can choose not to log the certificate.

The downside is that most browsers have CT logging requirements (e.g., Chrome, Safari, etc.) and anyone connecting to your site will see an untrusted warning. So, make sure you:

  • Really need to keep organization and domain names private.
  • Are prepared to manage the users who visit this site and get an untrusted warning.

About

DigiCert is the world’s premier provider of high—assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs. Now, we’ve added Symantec’s experience and talent to our legacy of innovation to find a better way to lead the industry forward, and build greater trust in identity and digital interactions.

©2019 DigiCert, Inc. All rights reserved. DigiCert and its logo are registered trademarks of DigiCert, Inc. Symantec and Norton and their logos are trademarks used under license from Symantec Corporation. Other names may be trademarks of their respective owners.