Signed Certificate Timestamps embedded in certificates


#1

Let’s Encrypt has always submitted certificates to Certificate Transparency logs. However, it hasn’t provided proof of that in the certificates. Starting soon, we will provide that proof by embedding Signed Certificate Timestamps (SCTs) in each newly issued certificate. These are signed assertions by log operators that we have submitted a corresponding precertificate to their log, and it will soon be incorporated. Our policy will be to include one SCT from a Google log and one SCT from a non-Google log, following Chrome’s CT Policy.

No action is required from Let’s Encrypt subscribers. This will happen automatically for newly issued and renewed certificates. When Chrome begins enforcing its CT policy in April, it will be for certificates issued after April 30, 2018. So if you currently have a certificate in place, there is no need to renew it early. It will continue to be valid, and when your next automated renewal rolls around, your certificate will have SCTs in it.

If you would like to take advantage of the security benefits of certificate transparency, you can monitor your domains using a CT monitoring tool like SSLMate’s Cert Spotter, Hardenize’s CT monitoring, or Facebook’s CT monitoring tool. These tools can send you a notification when certificates are issued for your domains.

SCT embedding is already enabled in our staging environment. We will enable it in production in the next week or so; we’ll post an update here, and there will be an update on https://letsencrypt.status.io/.


Signed Certificate Timestamps
Non-logging of final certificates
Certbot claims OID Extension is invalid
#2

SCT feature support
#3

As of now, all newly issued Let’s Encrypt certificates should have embedded SCTs. Please start a new thread in the forum if you see any issues.