How easy is setting up certificate transparency?


#1

I see there are a few ways that cert transparency might work here. I’ve successfully set up OCSP Stapling on my server (Apache 2.4.18 on Ubuntu 16.04 with OpenSSL 1.0.2d), but on the Qualys SSL test, it still says “certificate transparency: no”.

I found this guy’s blog and… it looks like I’ll either need to patch my Apache or something else I don’t think I want to do.

Is CT still a bleeding edge feature that most people should just wait a year before attempting themselves?


#2

Currently Boulder (the server software that powers Let’s Encrypt) doesn’t support embedding SCTs into OCSP responses which is what is needed to provide SCTs via OCSP stapling, although this is on our minds as something we’d like to implement in the nearish future.

If you can’t wait for us to add OCSP support there is still an option, embedding the SCT in the TLS handshake. Once you have the SCT (Tom Ritter’s blog post you link above includes a good script to retrieve SCTs from logs once they have been submitted) you can configure either Apache or Nginx to provide the SCTs to clients during handshakes but in both cases (as far as I know) you’ll need to compile the servers from source as neither stable versions are built with the support enabled yet.


#3

Looks like the answer for me is to check back in 6 months :slight_smile: Thanks for the reply.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.