Certificate Transparency

What is CT (Certificate Transparency)? 

Certificate Transparency is from RFC 6962 and is an extension on certificates to create a Merkle Tree (hash tree like with blockchain). The purpose of the tree is to help spot misuses of certificates and to provide a public way to audit the log of certificates issued. It was first implemented by Google in 2013 and required by google in 2017 which was then pushed back to 2018. Google has now been requiring all new certificates that are issued to have CT. The SCT (signed certificate timestamp) for CT can be sent in a TLS extension too, or with OCSP.

This is something we are thinking of adding to our library just to make it easier for users to parse out the information and view it with wolfSSL. Currently, users can get the extension by getting the peer certificate after a connection is complete and using one of the available checkers (google/cloudflare have checkers). It obviously gets more involved if adding the TLS extension (signed_certificate_timestamp) or if implementing a Monitor (application that goes out and does the audit on the certificate).

What are we doing about it?

To make this process easier we are planning on leaving it up to the certificate to contain the SCT and parse it from there.

To get there we are planing on making sure it includes:

– API to get the certificate extension information (people using this will want the hash / signature / timestamp to perform an audit on certificates)

– Checks on the timestamp (must be rejected by client if it is in the future)

– Code in our certificate extension parsing to read the OIDs and store the hash / signature / timestamp

– Testing and documentation (more time on testing since affecting certificate parsing code)


Love it? Star wolfSSL on GitHub.

For questions and comments regarding Certificate Transparency contact facts@wolfssl.com