Certificate transparancy query

while looking at an issued certificate at crt.sh i came across a query
https://crt.sh/?id=1919739664
above is a precertificate for some domains it has parameters like.

Validity
Not Before: Sep 24 06:05:56 2019 GMT
Not After : Dec 23 06:05:56 2019 GMT
This means certificate was signed and usable after this timestamp Sep 24 06:05:56 2019 GMT

now on looking at its CT precertificate data below
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log Name : DigiCert Yeti 2019
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : Sep 24 07:05:56.809 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:5F:E1:4D:66:DD:9E:63:B5:70:CB:8B:5D:
38:4F:B3:3F:17:03:0F:45:44:7B:60:1F:AE:FD:D3:42:
28:20:57:AB:02:20:13:9B:A0:6F:85:94:C6:9B:63:15:
0F:32:7C:BA:D4:7B:CA:D0:07:7F:B2:F6:41:0D:23:A3:
E1:19:49:2B:52:90
Signed Certificate Timestamp:
Version : v1(0)
Log Name : Google Argon 2019
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Sep 24 07:05:56.841 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:2C:ED:7F:2C:FD:0A:1C:7A:D4:4A:02:E9:
FE:76:C5:1D:D7:B9:78:6D:CB:35:50:18:55:56:6F:5E:
BA:94:04:20:02:20:56:32:3D:55:94:0E:A1:03:BE:A7:
5E:D5:2E:B3:12:C9:07:AF:22:DD:F1:BF:95:EA:0E:D1:
81:EE:50:DE:C8:39
it seems from the above data that signed certificate time stamp in precertificate is Sep 24 07:05:56.841 2019 GMT

http://www.certificate-transparency.org/how-ct-works

The certificate authority (CA) submits a precertificate to the log, and the log returns an SCT. The CA then attaches the SCT to the precertificate as an X.509v3 extension, signs the certificate, and delivers the certificate to the server operator.

how come SCT is one hour later then the certificate validity start time ?

Let’s Encrypt backdates certificates by one hour to create tolerance for clients that don’t quite have their clocks in sync.

So the certificate was really signed at 07:05, not 06:05.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.