System status | SwissSign
A data security specialist by Swiss Post

Main section

31.03.2017

CT Log SSL Gold EV: Now also with precertificate!

 

The CT-Log project is used to verify certificates. The logs list all certificates issued by all certificate authorities worldwide and are open for everybody. Thus, each web site operator can monitor its own domains and identify misissuances.

Certificate authorities can list certificates already during the application phase (so-called "precertificate"), or only after approval and issuance. With a Precertificate, the login information of the log operators is entered as a x509v3 certificate extension called Signed Certificate Stamp (SCT) and can be directly recognized by any web browser. In the case of an entry after issuance, the log information is only transmitted as part of a validity query using "OCSP Stapling". The latter method is more elegant since log operators can also terminate their operation and the certificate is always supplied with a replacement for the terminated log. However, OCSP Stapling is not yet supported by all Web servers. The following web servers currently support OCSP Stapling:

• Apache> 2.2.3

• Nginx> 1.3.7

• Microsoft IIS Windows Server> 2008

• HA Proxy> 1.5.0

• LiteSpeed Web Server> 4.2.4

• F5 Networks BIG-IP> 11.6.0

SwissSign has always offered EV certificates through the OCSP stapling process. A new feature is the possibility to use Precertificate for SSL Gold EV certificates. In the last step of the certificate request the right method for the CT log must be selected.