11

I think many of you have actually heard of Google's Certificate Transparency initiative. Now the initiave involves a public log of all certificates issued by some CA. As this is some amount of work, not all CAs have set it up yet. For example StartCom already said that's it hard to set it up from their side and a proper set up will them take months. In the mean time all the EV certificates are "downgraded" to "standard certificates" by Chrome.

Now it was stated that there are three ways of providing the neccessary records to prevent downgrading:

  • x509v3 extensions, clearly only possible to the CA
  • TLS extension
  • OCSP stapling

Now I think that the second and the third require (no?) interaction from the issuing CA.

So the question:
Can I set up certificate transparency support with my apache webserver if my CA doesn't support it and how can I do so if it's possible?

SEJPM
  • 367
  • 5
  • 16
  • I hope this is the right place to ask this, I've found nothing on the "how" on the internet. And I'd say this belongs to SF as it is about the *how* to set it up for servers and not related to workstations (not for SU). The question would be off-topic on InfoSec (although the "can" may be on-topic there...) – SEJPM Jul 30 '15 at 12:48
  • I can help you setup TLS extension on Apache 2.4 and **only with OpenSSL >=1.0.2** as required. TLS extension CAN be implemented without CA's interaction if and only if StartCOM has submitted its root certificates to the Google Aviator, Pilot, Rocketeer logs. OCSP stapling REQUIRES CA-interaction (they own the OCSP servers) so you cannot do that. Only viable option the TLS extension with many "hacks" to Apache... –  Aug 19 '15 at 09:39
  • 2
    @Jason, getting OpenSSL v1.0.2 (or newer) can be asked in a separate question if it's unclear to the reader. If you can, please go ahead and post the answer on how to set apache (2.4) up to use the TLS extension assuming an appropriate openssl version is available. And maybe give a short explanation why OCSP stapling requires the CA to do something and what the CA would have to do for the extension to work. I'm pretty sure you'll help a lot of people with this answer :) – SEJPM Aug 19 '15 at 13:48
  • for anyone stumbling over this question before any answer is posted: [This blog entry describes the steps for apache](https://ritter.vg/blog-require_certificate_transparency.html) – SEJPM Aug 23 '15 at 09:50
  • Exactly what I was going to post, but building a new apache version I had a lot of problems with my existing and couldn't just destroy my system to experiment, so I didn't post a full tutorial... Really tons of problems arise when trying to properly run Apache from /home directory if you have an existing installed Apache...... –  Aug 23 '15 at 09:56
  • 1
    granted, sucks to lose a few years of SSL cert, but the easiest solution might just be to re-cert the box with a provider that _can_ support transparency. Seems like it needed to be pointed out. – erik258 Oct 29 '15 at 02:13

2 Answers2

2

Sorry but you cannot unless you make your own extension for Certificate Transparency. There are no existing TLS extensions for certificate transparency in Apache 2.4.x and both x509v3 extensions and OCSP stapling can only be done by the Certificate Authority. Apache is working on bringing a TLS extension for Apache 2.5 however.

Daniel Baerwalde
  • 21
  • 3
1

Nowadays, you could do it with the TLS extension method and the mod_ssl_ct Apache module.

Jaime Hablutzel
  • 456
  • 5
  • 10