Introduction

Certificate Transparency (CT) is a framework for monitoring and auditing SSL certificates. Modern browsers (Chrome, Safari) require that publicly-trusted certificates include Signed Certificate Timestamps (SCTs) proving the certificate was logged to a CT log. Without SCTs, Chrome may show a NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error, and the connection security indicator may show warnings. This is increasingly enforced by browser vendors to prevent rogue certificate issuance.

Symptoms

  • Chrome shows NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED or connection blocked
  • SSL Labs shows Certificate Transparency: No
  • Browser security indicator shows a warning for the certificate
  • curl works but Chrome/Firefox show certificate warnings
  • Certificate issued but not yet submitted to CT logs

Common Causes

  • CA does not support Certificate Transparency
  • Certificate issued before CT was enforced by browsers
  • SCTs not delivered via any of the three methods (TLS extension, OCSP stapling, X.509 extension)
  • Web server not configured to serve SCTs via TLS extension
  • Private/internal CA certificates not subject to CT requirements but public ones are

Step-by-Step Fix

  1. 1.Check if the certificate has SCTs:
  2. 2.```bash
  3. 3.openssl s_client -connect yoursite.com:443 -tls1_2 </dev/null 2>&1 | \
  4. 4.grep -A 5 "signed_certificate_timestamp"
  5. 5.# Or check via SSL Labs: https://www.ssllabs.com/ssltest/
  6. 6.`
  7. 7.Verify the CA submits certificates to CT logs:
  8. 8.Most major CAs (Let's Encrypt, DigiCert, Sectigo) automatically submit to CT logs. Check with your CA. If they do, the SCTs should be embedded in the certificate.
  9. 9.Configure Nginx to serve SCTs via TLS extension:
  10. 10.```bash
  11. 11.# Download the SCT files from your CA
  12. 12.# Then configure Nginx:
  13. 13.ssl_signed_cert_timestamps /etc/nginx/ssl/sct_list.bin;
  14. 14.`
  15. 15.Configure Apache to serve SCTs via OCSP stapling:
  16. 16.Apache includes SCTs automatically if they are in the certificate as an X.509 extension (most CAs do this).
  17. 17.If using Let's Encrypt, SCTs are automatically included:
  18. 18.```bash
  19. 19.# Let's Encrypt always submits to CT logs
  20. 20.# Verify by checking the certificate:
  21. 21.openssl x509 -in cert.pem -text | grep -A 5 "CT Precertificate"
  22. 22.`
  23. 23.Reissue the certificate if the CA does not support CT:
  24. 24.Switch to a CA that supports Certificate Transparency (Let's Encrypt, DigiCert, GlobalSign, etc.) and reissue the certificate.

Prevention

  • Choose CAs that automatically submit to CT logs and embed SCTs in certificates
  • Monitor CT compliance with SSL Labs automated testing
  • Use Certificate Transparency monitoring services (crt.sh, Facebook CT) to verify your certificates are logged
  • Include CT requirements in your certificate procurement checklist
  • Test new certificates in Chrome Canary which enforces the strictest CT policies