Skip to content

Draft: Certificate Transparency Opt-Outs Are Gone#30

Draft
krakenhavoc wants to merge 1 commit into
mainfrom
blog/draft-ct-logging-mandatory-2026-06-03
Draft

Draft: Certificate Transparency Opt-Outs Are Gone#30
krakenhavoc wants to merge 1 commit into
mainfrom
blog/draft-ct-logging-mandatory-2026-06-03

Conversation

@krakenhavoc

@krakenhavoc krakenhavoc commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Topic

Certificate Transparency opt-out removal at DigiCert (June 1, 2026) and the Chrome Root Program Policy v1.8 Section 1.3.4.1 enforcement deadline (June 15, 2026) making precertificate logging mandatory before issuance for all Root Program participants.

Why this week

DigiCert removed CT opt-out settings from CertCentral on June 1, 2026 -- within the past 7 days. Chrome's enforcement deadline is June 15, 12 days out. The operational impact (internal hostnames permanently in public CT logs) is immediate and actionable for SREs managing infrastructure on public TLS certificates.

Sources used

Uniqueness check -- 3 most recent existing posts reviewed

  1. public-ca-eku-separation-june-2026.md (2026-05-27) -- Chrome Root Program Policy v1.8 Section 1.3.2, clientAuth EKU removal from public TLS intermediates. Different section, different operational impact.
  2. sc098v2-caa-rfc8657-mandatory.md (2026-05-20) -- CA/B Forum SC-098v2, RFC 8657 CAA parameter enforcement.
  3. lets-encrypt-generation-y-transition.md (2026-05-13) -- Let's Encrypt Generation Y hierarchy rollout and May 8 issuance incident.

No substantial overlap with any of the three. The EKU post references Chrome Root Program Policy v1.8 but covers a different section (1.3.2 vs 1.3.4.1) with a different operational concern (what EKUs appear in intermediates vs whether certificates are logged to CT).

DigiCert removed CT opt-out controls June 1, 2026. Chrome Root Program
Policy v1.8 Section 1.3.4.1 requires precertificate logging before
issuance for all Root Program participants by June 15. Post covers what
changed, hostname disclosure risks for internal infrastructure, crt.sh
audit commands, and private PKI migration paths.
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying web with  Cloudflare Pages  Cloudflare Pages

Latest commit: db55cc8
Status: ✅  Deploy successful!
Preview URL: https://1ddb17a9.web-f5e.pages.dev
Branch Preview URL: https://blog-draft-ct-logging-mandat.web-f5e.pages.dev

View logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant