¶ºÒõ¹Ý

Announcements 05-04-2020

Moving forward: What ¶ºÒõ¹Ý’s CT2 log retirement means for you

¶ºÒõ¹Ý

UPDATE: May 6, 2020

Today, to deprecate the CT2 log used for logging certificates under the Certificate Transparency program. We placed the log in read-only mode on May 3 and it will be retired from the CT program officially on May 19.

How does this impact customers and partners?

The Google announcement does not impact ¶ºÒõ¹Ý certificates. Current and future certificates issued by ¶ºÒõ¹Ý will continue to be trusted and work without any customer action. The events leading to the deprecation of the CT2 log do not impact our CA or three other CT logs, which operate on completely different infrastructure that is segmented from CT2.

How does CT work and how is ¶ºÒõ¹Ý involved?

¶ºÒõ¹Ý was the first CA to support CT logging in its certificates and to host a non-Google log. The benefit of CT is that it provides a resilient and flexible system, relying upon multiple logs, to record all issued publicly trusted certificates. The primary purpose is to detect misissued or malicious TLS certificates in order to find problems and stop them early on. CT has proved that ability over time, and our CT log monitoring service builds upon these principles to help brands monitor their certificates live in the cloud.

What does log retirement mean?

When a log is retired, which others have been in the past, the CT ecosystem remains reliable, because CAs are required to post certificates that they issue to multiple logs. ¶ºÒõ¹Ý operates three other CT logs, as a service to the industry, that are completely independent of our core business of issuing certificates and helping you manage them. These three logs continue to log many certificates not just from ¶ºÒõ¹Ý but nearly all CAs.

For some time now, ¶ºÒõ¹Ý has been moving our issued certificates towards our newer, more modern logs, Yeti and Nessie. The foresight in this system of multiple logs and design around CT makes the retirement of the CT2 log mostly a non-event.

What comes next?

¶ºÒõ¹Ý will continue working every day to harden our security as we help you harden yours. This includes many audits and internal reviews of our policies, procedures and practices. As part of our technology modernization efforts, we will continue deprecating legacy systems and platforms as we onboard new ones. In the last two years, we have invested heavily in modern PKI technology, including our leading ¶ºÒõ¹Ý CertCentral®. Technology requires constant learning and improvement, and that is a core value of ours.

We appreciate you, our partners and customers, and remain committed to your success.

¶ºÒõ¹Ý Statement on CT2 Log - May 4, 2020

Yesterday, May 3, ¶ºÒõ¹Ý announced that it is deactivating its Certificate Transparency (CT) 2 log server after determining that the key used to sign SCTs may have been exposed via We do not believe the key was used to sign SCTs outside of the CT log's normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log. Three other ¶ºÒõ¹Ý CT logs: CT1, Yeti and Nessie, are not affected as they are run on completely different infrastructure. The impacts are limited to only the CT2 log and no other part of ¶ºÒõ¹Ý's CA or CT Log systems.

¶ºÒõ¹Ý has been planning for some time to shut down CT2, in order to move the industry toward our newer and more robust CT logs, Yeti and Nessie. We notified the industry of our intention to terminate signing operations of CT2 on May 1 but pushed back the date based on industry feedback. This timeline has now been moved up, with the CT2 log in read-only mode effective May 3.

Because of Google's implementation of CT that requires SCTs be posted in multiple logs in order for a certificate to be valid, active TLS certificates posted to the CT2 log should continue to work as expected if issued before May 2 at 5 p.m. MDT.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for ¶ºÒõ¹Ý TrustCore SDK

10-31-2024

Announcing the GA release of ¶ºÒõ¹Ý Device Trust Manager