Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6397

Filter CT logs based on expiration date of certificate


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.10.1
    • Component/s: None
    • Labels:


      Customer says:

      Another complication with using EJBCA with Certificate Transparency is the new approach some log operators are taking. They have different logs for each year certificates expire (one for certs expiring in 2018, a different one for 2019, etc.). Trying to set up all the profiles with different logs and keeping them up to date will be overly complex. Both Google and CloudFlare have taken this approach and we expect others to follow [...]
      Can you support the proper selection of CT logs based on certificate expiration date?

      There are already some logs pending inclusion in Chrome which only accepts certificates with an expiration date in a certain range, e.g. ct.googleapis.com/logs/argon2018 only accepting certificates expiring in 2018.

      We should anticipate and prepare for other types of constraints which may be specified in the future so we don't risk having to deprecate additional variables in CTLogInfo.

      I suggest we implement this as follows:

      1. Create a package certificatetransparency.acceptancerules
      2. Create an interface in this package as follows
        interface CtLogAcceptanceRule {
            public boolean accepts(X509Certificate certificate);
      3. Create a class ExpirationDateAcceptanceRule implementing CtLogAcceptanceRule
        public class ExpirationDateAcceptanceRule implements CtLogcceptanceRule {
            public ExpirationDateAcceptanceRule(Date from, Date to) {
                // TODO
            public boolean accepts(X509Certificate certificate) {
                // return true iff from <= certificate.getExpirationDate() < to
      4. Associate a List<CtLogAcceptanceRule> with each CTLogInfo object. We should publish the certificate C to the CT log L iff logAcceptsCertificate(L, C) returns true
        private boolean logAcceptsCertificate(CTLogInfo ctLog, X509Certificate certificate) {
            for (CtLogAcceptanceRule acceptanceRule : ctLog.getAcceptanceRules()) {
                if (!acceptanceRule.accepts(certificate)) {
                    return false;
            return true;
      5. Add GUI code to editctlog.jsp which allows the user to enable an expiration date acceptance rule based on a start and end date.

      NOTE: No upgrade procedure needed. If nothing has been specified, a log will hold an empty list (null) of rules, and will always be contacted.

      We should also mention this feature in the documentation (adminguide.xml).


          Issue Links



              bastianf Bastian Fredriksson
              bastianf Bastian Fredriksson
              Verified by:
              Samuel Lidén Borell
              0 Vote for this issue
              2 Start watching this issue



                  Time Tracking

                  Original Estimate - 1 day Original Estimate - 1 day
                  Remaining Estimate - 0 minutes
                  Time Spent - 1 day, 1 hour
                  1d 1h