UPDATE: May 6, 2020
Today, Google announced its plans to deprecate the CT2 log used for logging certificates under the Certificate Transparency program. We placed the log in read-only mode on May 3 and it will be retired from the CT program officially on May 19.
How does this impact customers and partners?
The Google announcement does not impact DigiCert certificates. Current and future certificates issued by DigiCert will continue to be trusted and work without any customer action. The events leading to the deprecation of the CT2 log do not impact our CA or three other CT logs, which operate on completely different infrastructure that is segmented from CT2.
How does CT work and how is DigiCert involved?
DigiCert was the first CA to support CT logging in its certificates and to host a non-Google log. The benefit of CT is that it provides a resilient and flexible system, relying upon multiple logs, to record all issued publicly trusted certificates. The primary purpose is to detect misissued or malicious TLS certificates in order to find problems and stop them early on. CT has proved that ability over time, and our CT log monitoring service builds upon these principles to help brands monitor their certificates live in the cloud.
What does log retirement mean?
When a log is retired, which others have been in the past, the CT ecosystem remains reliable, because CAs are required to post certificates that they issue to multiple logs. DigiCert operates three other CT logs, as a service to the industry, that are completely independent of our core business of issuing certificates and helping you manage them. These three logs continue to log many certificates not just from DigiCert but nearly all CAs.
For some time now, DigiCert has been moving our issued certificates towards our newer, more modern logs, Yeti and Nessie. The foresight in this system of multiple logs and design around CT makes the retirement of the CT2 log mostly a non-event.
What comes next?
DigiCert will continue working every day to harden our security as we help you harden yours. This includes many audits and internal reviews of our policies, procedures and practices. As part of our technology modernization efforts, we will continue deprecating legacy systems and platforms as we onboard new ones. In the last two years, we have invested heavily in modern PKI technology, including our leading DigiCert CertCentral®. Technology requires constant learning and improvement, and that is a core value of ours.
We appreciate you, our partners and customers, and remain committed to your success.
DigiCert Statement on CT2 Log – May 4, 2020
Yesterday, May 3, DigiCert announced that it is deactivating its Certificate Transparency (CT) 2 log server after determining that the key used to sign SCTs may have been exposed via critical SALT vulnerabilities. We do not believe the key was used to sign SCTs outside of the CT log’s normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log. Three other DigiCert CT logs: CT1, Yeti and Nessie, are not affected as they are run on completely different infrastructure. The impacts are limited to only the CT2 log and no other part of DigiCert’s CA or CT Log systems.
DigiCert has been planning for some time to shut down CT2, in order to move the industry toward our newer and more robust CT logs, Yeti and Nessie. We notified the industry of our intention to terminate signing operations of CT2 on May 1 but pushed back the date based on industry feedback. This timeline has now been moved up, with the CT2 log in read-only mode effective May 3.
Because of Google’s implementation of CT that requires SCTs be posted in multiple logs in order for a certificate to be valid, active TLS certificates posted to the CT2 log should continue to work as expected if issued before May 2 at 5 p.m. MDT.