Chrome Certificate Transparency Requirements

This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained.

As of July 24, 2018, Google is now enforcing Certificate Transparency (CT) for Chrome 68 and above. This means that all TLS/SSL certificates issued after April 30, 2018, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log in order to be trusted by Chrome 68 and above. In addition, websites must serve proof of certificate inclusion in the CT log through a Signed Certificate Timestamp (SCT). Users browsing to non-CT compliant, federal intranet websites will encounter connection errors.

Many popular browsers plan to deploy CT in their product roadmaps. Timelines will be updated on this site as browser deployment dates become known.

How Does This Work?

The requirements for CT are built into browsers.

All roots that have been distributed by one or more of the Microsoft, Android, Apple, or Mozilla trusted root programs are listed here: Root Stores.
When a government user browses to an intranet website, the user’s workstation or mobile device will build one or more certificate paths to the enterprise or publicly trusted roots.
The browser will compare the certificate path(s) to the list of roots that have ever been included in the popular trust stores currently in use worldwide.
If any certificate in the trust chain matches one of the roots in the list, then the CT requirements will be in effect.

What Will Be Impacted?

A government user will receive an error on government-furnished equipment if all of the following are true:

Using Chrome 68 or higher (Note: Additional browsers may be affected in the future.)
Browsing to an intranet website with a TLS/SSL certificate that validates to the Federal Common Policy CA
The TLS/SSL certificate was issued after April 30, 2018

Chrome Error Screen

When Will This Start?

CT enforcement has begun. As of July 24, 2018, Google is now enforcing CT for Chrome 68 and above.

What Should I Do?

To mitigate the impact on the federal enterprise, you must disable CT enforcement for the affected intranet websites.

Please see Disable CT Enforcement for Government-Furnished Equipment.

Disable CT Enforcement for Government-Furnished Equipment

Two options are outlined in this section. Additional options may become available for future releases of Chrome. We will continue to update these procedures and post additional information as it becomes available. Please also check the GitHub Issues in the GSA FPKI-Guides repository for in-progress discussions.

Option 1: Disable CT Enforcement for “Legacy” CAs (Recommended Configuration)

Google Chrome’s “CertificateTransparencyEnforcementDisabledForLegacyCas” policy configuration allows you to disable CT enforcement for websites that chain to a user-specified “legacy” CA. Google Chrome categorizes a CA as “legacy” if it meets the following criteria:

The CA has been publicly trusted by default in one or more operating systems supported by Chrome, such as Windows or macOS.
The CA isn’t currently trusted by the Android Open Source Project or Chrome OS.

The Federal Common Policy CA meets Google’s criteria for a “legacy” CA, so you can disable CT enforcement for intranet websites that chain to it. In some cases, you’ll need to create a new registry key tree in the locations specified below:

a. Windows Registry location for Windows clients:

For HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas, add a new string value:

   Name = 1 | Data = sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU=

b. Windows Registry location for Chrome OS clients:

For HKEY_LOCAL_MACHINE\Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas, add new string value:

   Name = 1 | Data = sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU=

c. macOS

For preference name, CertificateTransparencyEnforcementDisabledForLegacyCas, add values:

   <array>
     <string>sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU=</string>
   </array>

Note: In all cases above, jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= is a Base64 encoding of a SHA-256 hash of the Federal Common Policy CA’s Subject Public Key Information (SPKI) field.

Option 2: Disable CT Enforcement for Domains and Sub-Domains

Chrome for government-furnished equipment will not enforce CT requirements if you apply a policy rule and include a .gov or .mil second-level domain, such as agency.gov, or other third-level sub-domains, such as example.agency.gov. You should apply configuration changes for only government-furnished equipment and only include an explicit list of second-level or below sub-domains in use for intranet websites. In some cases, you may need to create a new registry key tree in the locations specified below:

a. Windows Registry location for Windows clients:

For HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, add new string value:

   Agency Sub-Domain example:
   
   Name = 1 | Data = example.agency.gov
   
   Gov/Mil Top-Level Domain example:
   
   Name = 2 | Data = gov
   Name = 3 | Data = mil

b. Windows Registry location for Chrome OS clients:

For HKEY_LOCAL_MACHINE\Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls, add new string value:

   Sub-Domain example:
   
   Name = 1 | Data = example.agency.gov
   
   Gov/Mil Top-Level Domain example:
   
   Name = 2 | Data = gov
   Name = 3 | Data = mil

c. macOS

For preference name, CertificateTransparencyEnforcementDisabledForUrls, add values:

   <array>
     <string>example.agency.gov</string>
     <string>.example.agency.gov</string>
     <string>gov</string>
     <string>mil</string>
   </array>

Frequently Asked Questions

1. Will Google’s use of CT in Chrome impact my agency’s internal, only locally trusted CA TLS/SSL certificates?

No. There will be no impact if you use your agency’s internal, only locally trusted CA to issue TLS/SSL certificates to intranet sites. Chrome’s CT enforcement will impact only federal intranet sites whose TLS/SSL certificates validate to Federal Common Policy CA, whose certificate is currently distributed through operating system trust stores.

2. Why is Google enforcing CT in Chrome?

Chrome’s CT change has been planned and incrementally implemented for over two years. CT provides a benefit to the global community by:

Improving openness and transparency
Allowing domain owners to identify mistakenly or maliciously issued certificates

3. How do I know whether my intranet website is compliant with CT?

You can check for CT compliance by using the steps below to verify the presence of an SCT. These steps apply to any Federal PKI TLS/SSL certificate or commercially sourced certificate.

Note: SCTs are only required for certificates issued after April 30, 2018. Some certificates issued before this date may already be compliant. To check compliance:

Open Chrome and browse to your website.
In Chrome, go to Settings->More Tools.

Open the Developer Tools panel:

Windows:  CTRL + Shift + "i"
macOS:  Apple key + Shift + "i"

Select the Security tab in the Developer Tools.
Refresh the website page and click on the website under the Main origin column.
If the certificate is compliant, it will display the CT log details under the Certificate Transparency heading.