I think many of you have actually heard of Google's Certificate Transparency initiative. Now the initiave involves a public log of all certificates issued by some CA. As this is some amount of work, not all CAs have set it up yet. For example StartCom already said that's it hard to set it up from their side and a proper set up will them take months. In the mean time all the EV certificates are "downgraded" to "standard certificates" by Chrome.
Now it was stated that there are three ways of providing the neccessary records to prevent downgrading:
- x509v3 extensions, clearly only possible to the CA
- TLS extension
- OCSP stapling
Now I think that the second and the third require (no?) interaction from the issuing CA.
So the question:
Can I set up certificate transparency support with my apache webserver if my CA doesn't support it and how can I do so if it's possible?
Best Answer
Sorry but you cannot unless you make your own extension for Certificate Transparency. There are no existing TLS extensions for certificate transparency in Apache 2.4.x and both x509v3 extensions and OCSP stapling can only be done by the Certificate Authority. Apache is working on bringing a TLS extension for Apache 2.5 however.