Configuring Nginx to send certificate transparency SCT

You can see the “Certificate Transparency: No” on the Qualys SSL test for me, even those OCSP is hooked up:


Although I can see my certs in certificate transparency logs, I assume this is because my server isn’t including the SCT.

It seems like including that in Let’s Encrypt’s OCSP response is on the backlog, but maybe not going to happen anytime soon, as I was reading that in a thread from 2015? And I haven’t heard anything about using a X.590v3 extension either. Please correct me if I’m wrong if there’s a way to use the above.

That leave a TLS extension. I’m running the latest Nginx (1.13.4), although I’d like to also know how to set this up eventually on Apache. Anyone have suggestions for how to include the SCT? Thank you.

To use the TLS extension, you’ll need to compile nginx with this third-party module. There appears to be an experimental module for apache as well, though I have no experience with that one.

Let’s Encrypt will start embedding SCTs in a X.509 extension (i.e. in the actual certificate) at some point before Certificate Transparency becomes mandatory in Chrome. It’s currently scheduled for February, 2018.

From a practical point of view, there isn’t much benefit in deploying SCT delivery before that date, unless you plan on deploying Expect-CT too.


Thanks. I made a blog post about my experience compiling Nginx with the CT module and OpenSSL, and then generating SCTs with a project called “ct-submit.”

I’d be interested if any members of this forum know of ways my process could be improved (particularly, the SCT generation process). Thank you.

1 Like

This looks good. I would add two things:

  • CAs are pretty new at operating CT logs, and the browser policies for CT in general are still in flux. If you commit to Expect-CT, you will need to monitor the relevant mailing lists for log removals and policy changes regularly (both of which have happened in the past), or your site might break (assuming you’re using the enforce directive).
  • SCT generation should be part of your renewal process, through something like a certbot hook or similar.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.