14.10. Configuring Certificate Transparency

Certificate System provides a basic version of Certificate Transparency (CT) V1 support (rfc 6962). It has the capability of issuing certificates with embedded Signed Certificate Time stamps (SCTs) from any trusted log where each deployment site choses to have its root CA cert included. You can also configure the system to support multiple CT logs. A minimum of one trusted CT log is required for this feature to work.

Important

It is the responsibility of the deployment site to establish its trust relationship with a trusted CT log server.
To configure Certificate Transparency, edit the CA's CS.cfg file located in the /var/lib/pki/instance name/ca/conf/CS.cfg directory.
For more information on how to test your Certificate Transparency setup, see the Testing Certificate Transparency section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.

14.10.1. ca.certTransparency.mode

The ca.certTransparency.mode specifies one of three Certificate Transparency modes:
  • disabled: issued certs will not carry the SCT extension
  • enabled: issued certs will carry the SCT extension
  • perProfile: certs enrolled through those profiles that contain the following policyset will carry the SCT extension: SignedCertificateTimestampListExtDefaultImpl
The default value is disabled.

14.10.2. ca.certTransparency.log.num

ca.certTransparency.log.num specifies the total number of CT logs defined in the configuration.

Note

Not all CT log entries that are defined are considered active; see ca.certTransparency.log.<id>.enable in Section 14.10.3, “ca.certTransparency.log.<id>.*”.

14.10.3. ca.certTransparency.log.<id>.*

ca.certTransparency.log.<id>.* specifies information pertaining to the log <id>, where <id> is a unique id you assign to the CT log server to differentiate it from other CT logs.
The parameter names follow each ca.certTransparency.log.<id>. and belong to the <id>:
  • ca.certTransparency.log.<id>.enable specifies whether the <id> CT log is enabled (true) or disabled (false).
  • ca.certTransparency.log.<id>.pubKey contains the base64 encoding of the CT log's public key.
  • ca.certTransparency.log.<id>.url contains the base64 encoding of the CT log url.
  • ca.certTransparency.log.<id>.version specifies the CT version number that the CT supports (as well as the CT log server); it currently only supports version 1.