Certificate transparency submit

Hello all;

December 3 is approching so I’v pushed to https://github.com/jbvignaud/cts-submit a small tool that submit certificates and generate the correct TLS extention that will provide those info to the browser.

written in php, command line tool, but you can extract what you need as it’s a very simple tool.

basically use it like this (dont forget chmod +x):

./cts-submit.php cert.pem lets-encrypt-x1-cross-signed.pem > cert.sct.pem

Then use SSLOpenSSLConfCmd ServerInfoFile path_to/cert.sct.pem in the corresponding virtual host.

I dont know if it can work with other http server. it needs apache 2.4.8 and openssl 1.0.2

This might be useful as it is currently not done by the LE client, but...

is a bit confusing to me. Because actually not the owner of the server, but the CA submits the cert to the certificate transparency servers.
And LE does this for every certificate it has issued and for every one it's issuing.

More information:

Anyone can submit a certificate to a CT log.

Yes LE does submit every cert but we do not get the signatures back.
When we resubmit them we get the signature (i guess the same that LE get when they submit them in the first place); and since LE do not include this sig in the cert nor in ocsp; we are the able to create a tls extension that does the job.

Besides; you would want to submit your cert to other ct than LE first submission list.

2 Likes

I have SCT working with nginx + nginx-ct, but it uses a directory of binary .sct files that i generated with ct-submit; there's also an Apache module that uses the same type of data, it could be easier to maintain in the long run.

Maybe, but why should you do this in case you use LE? The LE server does it automatically for every cert issued.

1 Like

@rugk, apparently in order to get the proof of inclusion. (I think eventually Let’s Encrypt is going to provide an alternative method for this, but currently doesn’t.)

You can just look your cert up to see whether it is included in the logs.

You can submit to other logs than those LE uses.

Well… yes this is possible. :smile:

I have already a complete binary .sct file that includes the tls extension required for ServerInfo. How can I generate from that .sct the appropriate .pem to use with ServerInfo?

Well, if your file contains everything, you can base64 encode it (with line wrap) and add:
-----BEGIN SERVERINFO FOR EXTENSION 18-----
base64 lines
-----END SERVERINFO FOR EXTENSION 18-----

in php:

$tls_extention_pem = “-----BEGIN SERVERINFO FOR EXTENSION 18-----\n” . wordwrap(base64_encode($tls_extention), 64, “\n”, true) . “\n-----END SERVERINFO FOR EXTENSION 18-----\n”;
echo $tls_extention_pem;

1 Like

FYI @jsha:

That said, we are starting to design the process to submit precertificates so we can embed SCTs in certificates, and plan to implement before next October.