Draft: Certificate Transparency Opt-Outs Are Gone#30
Draft
krakenhavoc wants to merge 1 commit into
Draft
Conversation
DigiCert removed CT opt-out controls June 1, 2026. Chrome Root Program Policy v1.8 Section 1.3.4.1 requires precertificate logging before issuance for all Root Program participants by June 15. Post covers what changed, hostname disclosure risks for internal infrastructure, crt.sh audit commands, and private PKI migration paths.
Deploying web with
|
| Latest commit: |
db55cc8
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://1ddb17a9.web-f5e.pages.dev |
| Branch Preview URL: | https://blog-draft-ct-logging-mandat.web-f5e.pages.dev |
This was referenced Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Topic
Certificate Transparency opt-out removal at DigiCert (June 1, 2026) and the Chrome Root Program Policy v1.8 Section 1.3.4.1 enforcement deadline (June 15, 2026) making precertificate logging mandatory before issuance for all Root Program participants.
Why this week
DigiCert removed CT opt-out settings from CertCentral on June 1, 2026 -- within the past 7 days. Chrome's enforcement deadline is June 15, 12 days out. The operational impact (internal hostnames permanently in public CT logs) is immediate and actionable for SREs managing infrastructure on public TLS certificates.
Sources used
Uniqueness check -- 3 most recent existing posts reviewed
public-ca-eku-separation-june-2026.md(2026-05-27) -- Chrome Root Program Policy v1.8 Section 1.3.2, clientAuth EKU removal from public TLS intermediates. Different section, different operational impact.sc098v2-caa-rfc8657-mandatory.md(2026-05-20) -- CA/B Forum SC-098v2, RFC 8657 CAA parameter enforcement.lets-encrypt-generation-y-transition.md(2026-05-13) -- Let's Encrypt Generation Y hierarchy rollout and May 8 issuance incident.No substantial overlap with any of the three. The EKU post references Chrome Root Program Policy v1.8 but covers a different section (1.3.2 vs 1.3.4.1) with a different operational concern (what EKUs appear in intermediates vs whether certificates are logged to CT).