Is it possible to issue a certificate without transparency log


#1

I want to issue a ssl certificate for a personal subdomain but I want to keep it private, I dont want anyone finding out about it. Is it possible to keep the ssl certificate completely private?


#2

No, all certificates must be logged in order to be considered valid. This is a requirement for all publicly trusted certificate authorities. The best you can do with a publicly-trusted certificate is to get a wildcard, that way the specific subdomain itself is not logged, only the base domain.


#3

Is it? I thought it’s just Google with its browser Chrome. I can’t find any mandatory CT logging in the CA/B Forum Baseline Requirements.


#4

I have a question too, does anybody in the scene know what happened with redacted precerts?

Was there a particular decision that said it wasn’t acceptable? I never found anything on the mailing lists.


#5

Short of creating your own cert, I believe getting a publicly signed cert implies public visibility.
That said, obtaining a wildcard cert obscures the actual use(s).
Without known the exact FQDN one can never reach the private site.
To that end, you could change the name of the site as often as you like.
If you also have multiple IPs/ports to “play with”, you could conceivably “hide in plain sight”.
Given: You control your Internet DNS zone and your private clients don’t inadvertently “leak” your site info [which may be all to easy to do]. Which means that all parties should only use “trusted” DNS systems and encrypt their DNS requests and replies [not an easy thing to implement] OR update local hosts files from secure trusted sources.
Any “random” hit on the exposed IP/port should naturally default to something other than your “private site”.

In summary, I don’t think it would be practical to think that you could maintain any such “private system” actually “unknown” while connected to the Internet and actually in use.


#6

Wildcards may work well for this. You can issue a wildcard certificate which is valid for every (first-level!) subdomain, and then it’s just logged as a wildcard.