blocks|key|458879|text|CT执行政策只适用于公共CA，而不适用于自签署或私人CA。我能找到的最接近证实这一点的是来自谷歌Ryan的这条推特。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|458880|​|458881|📷|atomic|458882|458883|entityMap|0|LINK|mutability|MUTABLE|url|https://twitter.com/sleevi_/status/790959275925344262|1|IMAGE|IMMUTABLE|imageUrl|https://developer.qcloudimg.com/http-save/yehe-900000/ed8b9f8603cb7b8099b8c36d868b8f06.png|imageAlt^0|1H|4|0|0|0|0|1|1|0|0^^$0|@$1|2|3|4|5|6|7|X|8|@]|9|@$A|Y|B|Z|1|10]]|C|$]]|$1|D|3|E|5|6|7|11|8|@]|9|@]|C|$]]|$1|F|3|G|5|H|7|12|8|@]|9|@$A|13|B|14|1|15]]|C|$]]|$1|I|3|E|5|6|7|16|8|@]|9|@]|C|$]]|$1|J|3|-4|5|6|7|17|8|@]|9|@]|C|$]]]|K|$L|$5|M|N|O|C|$P|Q]]|R|$5|S|N|T|C|$U|V|W|-4]]]]

The CT enforcement policy applies only to public CAs, not self-signed or private CAs. The closest thing I could find confirming this was <a href="https://twitter.com/sleevi_/status/790959275925344262" rel="nofollow">this tweet</a> from Google's Ryan Sleevi.

<a href="https://i.stack.imgur.com/dWBVv.png" rel="nofollow"><img src="https://i.stack.imgur.com/dWBVv.png" alt="Image of Ryan Sleevi&#39;s tweet"></a>

blocks|key|2380167|text|CT执行政策似乎也适用于内部EV证书。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2380168|而在Internet中，地址栏是绿色的，带有EV公司名称，而在chrome中，它只被列出为"Secure+_+https“。|2380169|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

CT enforcement policy also seems to be applied to internal EV certificates.

Whereas in Internet Explorer the addressbar is green with EV company name, and in chrome it is only listed as "Secure | https".

blocks|key|2380194|text|不过，私人证书确实存在CT问题，正如我在这里解释过的：引用策略隐藏自签名证书的引用者。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2380195|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/54890552/referrer-policy-hide-the-referrer-of-self-signed-certificates^0|R|G|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

Still an issue, private certs does have issues with CT, as I've explained here:
<a href="https://stackoverflow.com/questions/54890552/referrer-policy-hide-the-referrer-of-self-signed-certificates">Referrer policy hide the referrer of self-signed certificates</a>

blocks|key|458989|text|官方文档明确指出，证书透明度只适用于公开信任的CA，即浏览器或设备开箱即用的CA，而不需要任何额外的配置步骤。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|458990|对于已手动安装的CA，只要这些证书不受或不受公共信任，就没有必要启用对证书透明性的支持。此外，证书透明度日志将不接受来自这些CA的证书，因此不可能支持CT。|458991|参考文献：信得过-|offset|length|458992|entityMap|0|LINK|mutability|MUTABLE|url|https://chromium.googlesource.com/chromium/src/%2B/refs/heads/main/net/docs/certificate-transparency.md#Locally_trusted-CAs^0|0|0|5|4|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@$F|S|G|T|1|U]]|A|$]]|$1|H|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]]]

The official docs make it clear that Certificate Transparency only applies to CAs that are publicly-trusted - that is, CAs that are supported by your browser or device out of the box, without any additional configuration steps.
For CAs that have been manually installed, provided those certificates are not or have not been publicly-trusted, it‘s not necessary to enable support for Certificate Transparency. Further, Certificate Transparency Logs will not accept certificates from those CAs, thus it’s not possible to support CT.
Ref:
<a href="https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md#Locally_trusted-CAs" rel="nofollow noreferrer">https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md#Locally_trusted-CAs</a>

Does anyone know whether the <a href="https://www.certificate-transparency.org/how-ct-works" rel="nofollow noreferrer">certificate transparency</a> feature as promoted by Google can/will apply to private installed CAs?

It seems like Chrome is already <a href="https://stackoverflow.com/questions/38287197/what-exactly-does-it-mean-when-chrome-reports-invalid-certificate-transparency?s=2%7C2.4443">enforcing CT</a> in some situations, presumably by auditing public CA logs. For private CAs that do legitimate Man-in-the-middle, there obviously won't be public CA auditing information, and it would be good to know that Chrome won't balk at that.

Certificate transparency and privately installed certs

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

有没有人知道谷歌推广的功能是否适用于私人安装的CA？在某些情况下，Chrome似乎已经是，大概是通过审核公共CA日志来实现的。对于那些做合法中间人的私人CA来说，显然不会有公开的CA审计信息，最好知道Chrome不会对此犹豫不决。

问证书透明度和私人安装的证书
EN

回答 4

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问证书透明度和私人安装的证书EN

回答 4

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问证书透明度和私人安装的证书
EN