SSL certificates – yes, we have heard much about SSL certificates, but how about SSL Precertificates? – it doesn’t seem to ring a bell, does it? Now, this blog is an attempt to explore SSL Precertificates – what they are, where they are used and how they work.
SSL Precertificates – What they are
SSL Precertificates are a type of SSL certificates that are intended to provide proof that an SSL certificate has been logged for embedding certificate transparency (CT) data in a certificate directly. SSL Precertificates cannot be used to form a secure/encrypted connection. And they also cannot be used for server authentication.
The term precertificate can actually confuse a user. It does not mean what we think it may actually mean. Precertificates may exist for the SSL certificates that you already have, and it is not necessary that you need to know about it.
Uses of Precertificates
To understand the uses of SSL precertificates you must first know about Certificate Transparency and its goals.
Certificate Transparency aims to remedy certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, Certificate Authorities (CAs), and domain users.
“Specifically, Certificate Transparency has three main goals:
- Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
- Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
- Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.”
CT creates an open framework comprised of three main components for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates. This open framework consists of the following:
- public logs of certificates,
- public log monitoring,
- and public certificate auditing.
It is for these logs that SSL Precertificates provide proof that the certificates have been logged. Precertificates have an advantage over other methods in providing proof of submission. In other methods, the file for submission to a certificate transparency log (SCT) is provided separately.
CT Log Signature Production
The purpose of the CT log is to produce the correct valid signature for the certificate’s data, and for that, it requires the SCT from the log. The SSL precertificates allow the CT log to produce the valid signature without being in possession of the final certificate. The CA is now able to issue the final certificate with the SCT included. Misissuance of precertificates is treated on par with misissuance of the final certificates. Hence, due diligence must be followed during precertificate issuance.
How Do Precertificates Work?
X.509 is a cryptographic standard format for defining public key certificates such as SSL certificates. A precertificate is defined with a “poison extension” to the X.509 format. It differentiates it from normal SSL certificates. When browsers or operating systems encounter this extension they are not understood by them and hence they will be treated as invalid. This factor prevents SSL precertificates from being used for a secure/encrypted connection or for server authentication.