Does anyone know whether the certificate transparency feature as promoted by Google can/will apply to private installed CAs?
It seems like Chrome is already enforcing CT in some situations, presumably by auditing public CA logs. For private CAs that do legitimate Man-in-the-middle, there obviously won't be public CA auditing information, and it would be good to know that Chrome won't balk at that.
On
The official docs make it clear that Certificate Transparency only applies to CAs that are publicly-trusted - that is, CAs that are supported by your browser or device out of the box, without any additional configuration steps.
For CAs that have been manually installed, provided those certificates are not or have not been publicly-trusted, it‘s not necessary to enable support for Certificate Transparency. Further, Certificate Transparency Logs will not accept certificates from those CAs, thus it’s not possible to support CT.
On
Still an issue, private certs does have issues with CT, as I've explained here: Referrer policy hide the referrer of self-signed certificates
The CT enforcement policy applies only to public CAs, not self-signed or private CAs. The closest thing I could find confirming this was this tweet from Google's Ryan Sleevi.