On 16/02/17 10:04, 'Rob Percival' via certificate-transparency wrote:
> Hi Val,
>
> Because your certs chain to a public root cert, you'd need to log them
> to public CT logs for Chrome to accept them. That means you don't need
> to deploy your own CT logs. If you don't want to log them publicly, you
> should either re-issue them from your own private CA (in which case,
> Chrome will not enforce CT for them), or disable CT enforcement in
> Chrome for your domain(s)
> <
https://www.chromium.org/administrators/policy-list-3#CertificateTransparencyEnforcementDisabledForUrls>.
> Bear in mind that you sacrifice some security when disabling CT.
Hi Val. If you don't want to switch to a private CA and you don't want
to disable CT enforcement in Chrome, then...
Your TLS server(s) will need to provide SCTs in TLS handshakes using any
of these 3 mechanisms:
1. In a certificate extension.
2. In a Stapled OCSP response extension.
3. In the signed_certificate_timestamp TLS extension.
By "microsoft based environment", I assume you mean that you're using an
instance of Microsoft Certificate Services to issue certificates and
also an instance of Microsoft's OCSP Responder software. Is that
correct? If so, then I'm afraid it's highly likely that your current
environment doesn't support any of the 3 SCT distribution mechanisms
listed above. :-(
However...
If your F5 load balancers support OCSP Stapling, then one possible
solution would be to delegate the OCSP function to another party that is
able to embed SCTs in OCSP responses on your behalf.
(I've not seen any such "OCSP Hosting" services advertised, but I know
that both Comodo and GlobalSign operate this sort of service for some
enterprise customers).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online