| HN Mirror

Technically you don't have to log certificates during issuance, and actually doing so is slightly more trouble (because of a chicken & egg problem, you want the log proof in the certificate, so you must log special "poisoned" certificates to get that proof and then fasten that proof to the certificate.

A customer can take an unlogged cert, log it themselves, and then use the certificate and the separate proof of logging they received and use that just fine. Google have some services which do this. One clever thing this enables is you can buy the cert secret-product-name.example, unlogged, build the web site, check everything works, and log the certificate seconds before the product launch event, so snoops can't tell your new product is secret-product-name until the moment you announce it, yet the site works immediately. I have very rarely seen this done but it's possible. When there's an ordinary White House transition process both plausible transition site certs get logged, even though in practice one of those sites is never published. Since Trump I have no idea if this process is so smooth any more.

A CA can choose whether to have this "issue unlogged certs" process as something they offer, it's a niche thing, but it could make sense. They need to keep adequate records of every certificate they issue (that's required) and logging is a very easy way to satisfy that requirement, but it's not the only way.

In practice, the logged certificates are the easy consumer option, like selling ready-to-eat food in a deli. Some customers might be prepared to buy ingredients and go away to make food, but, many customers probably want to eat food immediately so for extra money you sell products that can just be eaten immediately. So, yes, the vast majority of certificates issued every day are indeed logged immediately so as to provide the product people want.