It’s significantly more complicated than it sounds, actually. I’d encourage you to read the relevant section of RFC6962. In effect, the CA has to issue the certificate twice. First you generate a precertificate with a critical poison extension, then submit it to a CT log, receive the SCT, and then sign it again. There is potential for failure and delay at each step in the process, plus significant additional complexity, which is why the authors of the CT spec included easier options.
jsha
11
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Apt repository and SCT support | 3 | 3246 | September 2, 2015 | |
| Generate a certificate without Certificate Transparency | 19 | 4235 | January 9, 2020 | |
| [Google Chrome] Announcement: Requiring Certificate Transparency in 2017 | 3 | 3048 | November 24, 2016 | |
| How to deploy Certificate Transparency via OCSP Stapling? | 2 | 2133 | February 28, 2017 | |
| Certificate Transparancy not working in Chrome? | 13 | 4912 | January 27, 2016 |