How will Certificate Transparency affect existing Active Directory Certificate Services environments?


Wes Hammond here from Premier Field Engineering.  It has been a while since I posted anything, but I wanted to step back into the spotlight to talk a little bit about something a few customers have been asking about lately.  How will Certificate Transparency affect their Active Directory Certificate Services environments?  Well, here are your answers…

 

Before we get started, here is a little bit of information about Certificate Transparency that is relevant to this article.  CT is being applied to certificate authorities that chain to a Public/Commercial Root Authority to detect fraudulent certificates used for HTTPS purposes.  Many public certificate authorities have already been reporting to the CT logging servers for some time now.  How it works is beyond the scope of this document and I would recommend you read the information located at the site linked to at the bottom of this article.

 

CT in Browsers

Google is scheduled to enforce CT in Chrome browsers on April 30th 2018 for certificates issued after April 1st 2018.

 

CT in Private PKI (CA's that DO NOT chain to a public Root)

I am going to start with the most common scenario.  Most of you have a private PKI within your organization that does not chain up to a public root.  In this scenario, CT will not affect your CA's.  Chrome browser uses Windows native CAPI to determine trusted chains.  Windows can differentiate between commercial/public CA chains and internal/private chains.  Since Windows has this ability, CT will not affect Private/Internal PKI chains.

 

CT in Certificate Chains that DO chain to public Root

"IF" your certificate authority chains up to a public root and you issue SSL/TLS/HTTPS certificates, CT may affect your PKI.  How it affects you is beyond the scope of this article, and I would recommend you consult your provider for more information.

 

Other Certificate Purposes

As I mentioned earlier, CT is only relevant to certificates used for HTTPS.  All other certificate purposes such as smartcard logon, code signing, document signing, SMIME, any many others are not visible through Chrome browsers and thus are not affected, so rest easy 🙂

 

For more information on Certificate Transparency see the official site on it here: https://www.certificate-transparency.org/

If you liked this blog please don't forget to rate it.

Comments (2)

  1. lkl-it says:

    Windows Update
    February 22, 2018—KB4077525 (OS Build 14393.2097)
    tells that Certificate Transparency Support is added to AD CS – so what does the update change exactly and how can we configure Certificate Transparency in ADCS?

    See below:
    https://support.microsoft.com/af-za/help/4077525/windows-10-update-kb4077525

    •Adds ADCS support for Certificate Transparency (CT) that’s compatible with the updated Google Chrome requirements. CT is a technology used by certificate authorities to log and publish certificate metadata for improved security.

    •Adds ADCS support for Certificate Transparency for publicly trusted SSL/TLS certificates

  2. WesH [MSFT] says:

    Sorry for the delay, I have been waiting on documentation to be released. See the blog below:
    https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency

Skip to main content