SWITCHpki certificates and Google’s Certificate Transparency project

In December 2014, Google released a slightly updated version of their Improving the Security of EV Certificates plan and has implemented this policy in the Chrome/Chromium browsers (Certificate Transparency: Require SCTs for EV certificates). As of version 41 (released on 3 March 2015), Chrome and Chromium therefore enforce an additional requirement on EV SSL certificates: to receive the special UI treatment – prominent display of the organization name and country from the certificate in the URL bar, see also this test site – the server must provide the browser with a certain number of so-called signed certificate timestamps, also known as SCTs.

While the technical specification in RFC 6962 lists three options for a server to deliver these SCTs in the TLS handshake, only one of them is currently feasible for wider deployment: embedding the SCTs in the certificate itself in the form of a custom X.509 extension (with OID 1.3.6.1.4.1.11129.2.4.2). An EV SSL certificate which fails to meet the requirements specified in Google’s EV/CT plan will be downgraded to / treated like a standard SSL certificate.

To support EV SSL certificates with embedded SCTs, QuoVadis has set up a new dedicated issuing CA in 2015, and the SWITCHpki server certificate request form has been amended accordingly (by an Extended Validation (EV) SSL with CT extension certificate type option). SWITCH is currently offering both flavors: EV SSL certificates with embedded SCTs (issued by the QuoVadis EV SSL ICA G1 created in January 2015), and EV SSL certificates without embedded SCTs (traditional format, issued by the QuoVadis Global SSL ICA G2).

For best compatibility with Google browsers, it is recommended to request EV SSL certificates with embedded SCTs. Please note that when replacing an existing EV SSL certificate (issued before February 2015), the server configuration needs to be adapted to deliver the new QuoVadis EV SSL ICA G1 in the TLS handshake.

To confirm that an SSL server certificate indeed supplies signed certificate timestamps to the browser, examine the Connection section in Chrome’s Website settings popup, which opens when clicking the lock icon in the URL bar (see our test site).