Certificate Transparency for Managed HTTPS endpoints



We received a notice about an upcoming Google Chrome requirement: “Starting April 30, 2018, Google Chrome will require all publicly trusted certificates issued after this date to be logged in at least two Certificate Transparency logs.” on https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/. Our nginx servers are using managed https. Will these endpoints be compatible Chrome come April? If not, what’s the recommended path forward?



Under the hood, Managed TLS leverages Let’s Encrypt, which does publish all certificates to CT logs, so there is nothing you need to do here.

If you’d like, you can confirm that your certificates were indeed logged using this CT log search tool: https://crt.sh/



Thanks for the suggestion. I checked with https://crt.sh and confirmed that there are CT logs for each of our managed https endpoints.

However, when I used the Chrome Security developer tool along with Qualys SSL checker to check for CT, they showed that CT was not enabled.

To resolve this, I deleted our old https endpoint and created new ones. The new endpoints ended up passing Qualys and the Chrome tool. Not exactly sure what that did exactly, but thought I share my experience to work around this. For what it’s worth, I rely on the Chrome’s developer tool as the ultimate litmus test.