|
|
|
|
|
|
by plagiat0r
115 days ago
|
|
|
X509 certificates published in CT logs are "pre-certificates". They contains a poison extension so you don't be able to use them with your private key. The final certificate (without poison and with SCT proof) is usually not published in any CT logs but you can submit it yourself if you wish. |
|
|
Here's the pre-certificate for this web site's current certificate:
https://crt.sh/?id=23696530376
and here, just a few later in the log, is the finished certificate:
https://crt.sh/?id=23696528656
This is good practice, but it's also just easier, because if anything goes wrong, and sometimes things do go wrong, when the trust store says hey, please provide all certificates you issued with these properties, if you've logged them they are right there published in the logs for everybody to see - no bother, no risk - if you haven't then you need your own storage and better hope there aren't any mistakes. I'm sure LE do have their own copies if they needed them, but it sure is nice to know that's not what you're betting on.
†Poisoned pre-certificates are a "temporary" hack so that the certificate logging system can be demonstrated. If we ever really wanted this of course we'd develop a proper solution instead, right? Right? Every experienced software engineer knows that "temporary" usually means permanent in practice and so nobody was surprised by how this turned out.