↩ Back Reports

Expect-CT reports

Get a report when a browser loads your site with a TLS certificate that doesn't meet the requirements of the browser's Certificate Transparency (CT) policy. For example Google Chrome requires all publicly-trusted TLS certificates issued after April 30, 2018 to be "CT Qualified" in order to be recognized as valid. Being "CT-Qualified" essentially means that all such certificates has to be logged in two or more known Certificate Transparency logs which you can search with tools like crt.sh. With Expect-CT header, you can also enforce the requirement for certificates issued earlier (or issued later with a "valid from" set before the date). Check Chrome's CT policy to see what does it mean for the certificate to be "CT qualified". Apple has a similar CT policy.

The Expect-CT response header:

Expect-CT: max-age=1800, enforce, report-uri="https://tack.has.report/report.php"

Test Expect-CT reporting

It would be quite a feat to get a certificate that would violate for example Chrome's CT policy so there's no "click here to generate the report" button here. Luckily, Chrome offers to send a test Expect-CT report:

  1. Go to Chrome's Domain Security Policy debug page: chrome://net-internals/#hsts (you need to copy & paste the link)
  2. Scroll down to Send test Expect-CT report
  3. Enter your custom reporting endpoint address https://tack.has.report/report.php (copy & paste) to the Report URI field
  4. Hit Send and you should see that the Test report succeeded
  5. Check your reports
  6. You'll find one expect-ct-report test report for expect-ct-report.test host, no scts and empty certificate chains

Example Expect-CT report

This is how the full report would look like:

{
  "expect-ct-report": {
    "port": 443,
    "scts": [
      {
        "serialized_sct": "<Base64 Signed Certificate Timestamp data>",
        "source": "embedded",
        "status": "unknown",
        "version": 1
      },
      {
        "serialized_sct": "<Base64 Signed Certificate Timestamp data>",
        "source": "embedded",
        "status": "unknown",
        "version": 1
      }
    ],
    "hostname": "expect-ct-report.test",
    "date-time": "2020-05-15T23:16:25.889Z",
    "served-certificate-chain": [
      "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
      "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n"
    ],
    "effective-expiration-date": "2020-05-15T23:16:25.889Z",
    "validated-certificate-chain": [
      "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
      "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
      "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n"
    ]
  }
}

Related specs