Beginning in February 2015, the Chrome browser will require public logging of Extended Validation (EV) SSL certificates in Certificate Transparency (CT).
Certificate Transparency is an initiative created by Google to log, audit and monitor all public SSL Certificates. CT makes it possible to detect SSL certificates that have been mistakenly issued or maliciously acquired. For more information, see http://www.certificate-transparency.org/
EV certificates issued after January 1, 2015 that are not logged in CT will not receive the enhanced “green bar” in Chrome that shows the validated company information.
Certificate Transparency Requirements for Extended Validation SSL
Initially, Google’s CT requirements only apply to Extended Validation SSL. Domain Validated (DV) and Organisation Validated (OV) SSL are not currently logged, although Google may expand the CT requirements at a later date.
QuoVadis and other CAs will submit “whitelists” of existing EV SSL before January 1 to ensure their continuing EV treatment in Chrome. Chrome is the only browser requiring CT logging.
EV certificates issued after January 1 must provide proofs from a CT log server or they will not show the “green bar” in Chrome. A one year EV certificate requires two proofs, while a two year EV certificate requires at least three proofs.
Google itself is operating several CT logs for use by CAs. In addition, QuoVadis is participating in one of the first independent CT logs, ensuring that QuoVadis certificates are logged on diverse CT platforms.
QuoVadis CT-ready by Default
If you have an existing QuoVadis EV SSL, you do not need to take any action. Your certificate will be whitelisted in CT and will continue to show the “green bar” in Chrome.
With the launch of QuoVadis Trust/Link Enterprise v3, by default all new QuoVadis EV SSL will include the required number of CT proofs embedded in the certificate.
As the internet-wide implementation of CT continues, QuoVadis intends to expand support in Trust/Link to allow customers to select, by policy, how their certificates are logged in CT. Options may include the current embedded proof as well as delivery of proofs via OCSP stapling or TLS extensions.