Oak shards are now usable by Certificate Authorities

Hi everybody!

Our Oak 2020 - 2022 shards are now usable according to the Apple and Google CT programs. :tada:

What this means:

  • As a subscriber or reliant party, nothing will change for you.
  • For the Let’s Encrypt certificate authority this means we will be embedding SCTs from Oak into our certificates. Using our own CT log helps us take control of our destiny. We can manage the availability of our own infrastructure and only need to rely on one more public CT log.
  • As a certificate authority, this means you can now rely upon and embed SCTs from our usable Oak shards! Please refer to the Apple and Chromium CT policies for an authoritative list.
  • The CT ecosystem is now slightly larger and we can help share the burden that other logs bore before us.

If you operate a public certificate authority and your Root CA certificate is not found in our accepted roots list, please let us know! We’d love to have you.


If you are a certificate authority submitting to our CT shards, please consider adding a uniquely identifiable user agent to make log analysis easier on us!

I’m looking at you specifically Go-http-client/1.1 :eyes:

For reference, our boulder CA currently uses the le-boulder/1.0 user agent.