Security

Certificate Transparency

Every publicly-trusted certificate must appear in append-only public logs. Chrome, Safari, and Edge enforce it — non-CT certs throw a hard browser error.

Authority: IETF
Version: RFC 6962 / RFC 9162
Jurisdiction: Global
Source: datatracker.ietf.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

RFC 6962 (experimental) and RFC 9162 (CT 2.0 standards-track). A system of cryptographically-verifiable, append-only logs of every issued certificate. Browsers require certificates to ship with Signed Certificate Timestamps from multiple logs.

Why it matters

CT is how you (or your domain monitoring tool) catch certificates issued for your domain that you didn't authorise. Combined with CAA records, it closes the 'rogue CA issuance' attack at both the issuance and detection layers.

Who it applies to

Every publicly-trusted certificate — automatic via your CA, but worth monitoring.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

#	Factor	Status
92	Embedded SCT count (Certificate Transparency)	planned

0 of 1 supporting factors are currently collected. Sites where the remaining 1 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

See also: SSL valid , CAA , OCSP Stapling

Other references

rfc RFC 9162 — Certificate Transparency 2.0
guidance certificate.transparency.dev
tooling crt.sh — public CT log search