Removal (Rejection) of Expired 2025h1 CT Log Shards
Joe DeBlasio
The following CT log shards are now outside of their certificate expiry range and have been removed from Chrome:
Google Argon2025h1 (https://ct.googleapis.com/logs/us1/argon2025h1/)
Google Xenon2025h1 (https://ct.googleapis.com/logs/eu1/xenon2025h1/)
DigiCert Sphinx2025h1 (https://sphinx.ct.digicert.com/2025h1/)
DigiCert Wyvern2025h1 (https://wyvern.ct.digicert.com/2025h1/)
Sectigo Sabre2025h1 (https://sabre2025h1.ct.sectigo.com/)
Sectigo Mammoth2025h1 (https://mammoth2025h1.ct.sectigo.com/)
Let's Encrypt Oak2025h1 (https://oak.ct.letsencrypt.org/2025h1/)
These logs have transitioned to the Rejected state, which means they have been removed entirely from the log list shipped to Chrome. SCTs from these Rejected logs - past, present, or future - no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered.
What does this mean for site operators
These logs transitioning to Rejected should require no action by site operators, since all certificates relying on SCTs issued by these logs should now be expired and/or no longer in use. This is true whether sites are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.
What does this mean for CAs
There should be no impact to CAs from Rejecting these logs. If a CA still has any of these logs configured for production certificate logging purposes, they should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Usable CT logs.
What does this mean for Log Operators
Once CT logs transition to Rejected, Chrome no longer requires that they continue operation. Log operators for these logs should check with other CT-enforcing user agents to ensure that there are no issues with ceasing operation of these CT logs (if they are still operational).
Log operators for CT logs not listed above do not need to take any action.
Best,
Joe, on behalf of the Chrome CT team