Share via

1.1.6 Certificate Transparency

  • Article

Certificate Transparency processing enabled on a certificate authority (CA) server allows digital certificates to be issued by the server to clients while also allowing a compliant operator to monitor and audit a publicly available certificate transparency log, to which the certificates are also sent. Issued certificates can be added to this type of log either before or after the certificates are issued to clients, the former requiring the use of precertificates. Certificate transparency logs can be queried by a compliant application for proof of certificate existence.

The Certificate Transparency feature is introduced in the Windows Server v1809 operating system<1>. Any digital certificate that is issued by a certificate authority (CA) running Windows Server v1809 or later can be submitted to a certificate transparency log as a precertificate, as defined in [RFC6962].

The diagram that follows shows the sequence in which basic certificate enrollment occurs when Certificate Transparency processing is enabled on a CA server.

Basic enrollment with Certificate Transparency enabled

Figure 2: Basic enrollment with Certificate Transparency enabled

The individual steps are described as follows:

  1. The WCCE client submits a new certificate request, via the ICertRequestD2::Request2 method ([MS-WCCE] section 3.2.1.4.3.1), to the certificate authority (CA) server to indicate that certificate transparency processing is required.

  2. The CA server response to the WCCE client certificate request contains a Certificate Transparency precertificate.

  3. The WCCE client submits the precertificate to one or more certificate transparency logs ([RFC6962]).

  4. One or more certificate transparency logs respond by sending a Signed Certificate Timestamp (SCT) to the WCCE client ([RFC6962]).

    The WCCE client generates a SignedCertificateTimestampList (SCTList) structure from the received SCT/s.

  5. The WCCE client calls the ICertRequestD2::Request2 method again, but in this case with the SCTList structure and the RequestId attribute included; the request is then sent to the CA server.

  6. The WCCE client configures the dwFlags parameter of a new ICertRequestD2::Request2 message (to set the request format for Certificate Transparency processing) and submits it to the CA server.

  7. The CA server issues a digital certificate to the WCCE client.