Certificate transparency submit

jbvignaud · November 26, 2015, 10:36am

Hello all;

December 3 is approching so I’v pushed to https://github.com/jbvignaud/cts-submit a small tool that submit certificates and generate the correct TLS extention that will provide those info to the browser.

written in php, command line tool, but you can extract what you need as it’s a very simple tool.

basically use it like this (dont forget chmod +x):

./cts-submit.php cert.pem lets-encrypt-x1-cross-signed.pem > cert.sct.pem

Then use SSLOpenSSLConfCmd ServerInfoFile path_to/cert.sct.pem in the corresponding virtual host.

I dont know if it can work with other http server. it needs apache 2.4.8 and openssl 1.0.2

rugk · November 26, 2015, 7:02pm

This might be useful as it is currently not done by the LE client, but...

is a bit confusing to me. Because actually not the owner of the server, but the CA submits the cert to the certificate transparency servers.
And LE does this for every certificate it has issued and for every one it's issuing.

More information:

kerio · November 26, 2015, 7:55pm

Anyone can submit a certificate to a CT log.

jbvignaud · November 26, 2015, 8:01pm

Yes LE does submit every cert but we do not get the signatures back.
When we resubmit them we get the signature (i guess the same that LE get when they submit them in the first place); and since LE do not include this sig in the cert nor in ocsp; we are the able to create a tls extension that does the job.

Besides; you would want to submit your cert to other ct than LE first submission list.

kerio · November 26, 2015, 8:29pm

I have SCT working with nginx + nginx-ct, but it uses a directory of binary .sct files that i generated with ct-submit; there's also an Apache module that uses the same type of data, it could be easier to maintain in the long run.

rugk · December 5, 2015, 4:59pm

Maybe, but why should you do this in case you use LE? The LE server does it automatically for every cert issued.

schoen · December 5, 2015, 5:22pm

@rugk, apparently in order to get the proof of inclusion. (I think eventually Let’s Encrypt is going to provide an alternative method for this, but currently doesn’t.)

rugk · December 5, 2015, 5:24pm

You can just look your cert up to see whether it is included in the logs.

jbvignaud · December 5, 2015, 5:28pm

You can submit to other logs than those LE uses.

rugk · December 5, 2015, 5:28pm

Well… yes this is possible.

Jason · January 26, 2016, 5:58pm

I have already a complete binary .sct file that includes the tls extension required for ServerInfo. How can I generate from that .sct the appropriate .pem to use with ServerInfo?

jbvignaud · January 27, 2016, 7:27am

Well, if your file contains everything, you can base64 encode it (with line wrap) and add:
-----BEGIN SERVERINFO FOR EXTENSION 18-----
base64 lines
-----END SERVERINFO FOR EXTENSION 18-----

in php:

$tls_extention_pem = “-----BEGIN SERVERINFO FOR EXTENSION 18-----\n” . wordwrap(base64_encode($tls_extention), 64, “\n”, true) . “\n-----END SERVERINFO FOR EXTENSION 18-----\n”;
echo $tls_extention_pem;

rugk · December 4, 2016, 2:47pm

FYI @jsha:

That said, we are starting to design the process to submit precertificates so we can embed SCTs in certificates, and plan to implement before next October.

Topic		Replies	Views
Configuring Nginx to send certificate transparency SCT Server	4	3103	October 5, 2017
How easy is setting up certificate transparency? Server	3	4379	July 23, 2016
Certificate transparency (CT) monitoring for Let's Encrypt certificates Server	3	6114	August 8, 2017
Certificate Transparency + X.509v3 Extension Feature Requests	2	5204	December 16, 2015
Certificate Transparency Search Resources Issuance Tech	9	1636	September 13, 2023

Certificate transparency submit

Related topics