Adding certificates to the Certificate Transparency (CT) logs.
"Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy. After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant. Sub-resources served over https connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools." -- Devon O'Brien on Chromium CT Policy Mailing List
Comodo CA's Position
All COMODO CA issued TLS/SSL certificates, since 23 March 2018, comply with Chromium's CT Policy, therefore COMODO CA customers need not take any action at this time to include certificates issued on or after such a date in any known CT Log to be compliant with Google's Chrome mandate for April 2018.
Enforcement of CT compliance will only apply to certificates issued after April 2018; certificates issued before this date are unaffected and do not require registration in a known CT Log.
Certificate Transparency (CT) requires that all TLS clients (e.g. Google Chrome) must support the following three mechanisms for including the Signed Certificate Timestamp (SCT) in the TLS handshake:
As such servers can use any one of these mechanisms to return CT information to TLS clients.
Comodo CA makes use of an X509v3 extension and includes (embeds) SCTs within the certificate itself.
Manually adding a Certificate to a Certificate Transparency (CT) Log
If one wishes to submit a certificate, issued prior to 23 March 2018, to one or more known (to Google Chrome) CT Logging endpoints, please follow these instructions:
Comodo CA's CT Log URLs:
Google's CT Log URLs:
A list of logs can be found at: https://crt.sh/monitored-logs