Mandatory record in Certificate Transparency for all new TLS certificates
5 Jun 2026 | Petra Salašová
Starting June 1, 2026, DigiCert will log all newly issued public TLS certificates, including reissued certificates, to Certificate Transparency (CT) logs. This change applies to all certificates issued by DigiCert certificate authorities, regardless of validation type (DV, OV, EV, QWAC, PSD2) or brand (DigiCert®, GeoTrust®, Thawte®, RapidSSL®). In this article, you'll learn why this change is being introduced and what it means for your organization.
Why is logging newly mandatory?
In this case, we can also look at the new measure introduced by the company Google and its browser Chrome. It requires that by June 15, 2026, all certification authorities start logging all TLS certificates into at least one Certificate Transparency log. This is, of course, with the aim of greater certificate transparency and enhanced internet security.
To remind you, CT logs create publicly auditable records of certificate issuance by all certification authorities, effectively allowing domain owners and browsers to detect misused or fraudulent certificates and thus prevent man-in-the-middle attacks. Looking back in history, it has been over a decade since Google started requiring logging for Extended Validation (EV) certificates. Gradually, this requirement extended to Organization Validation (OV) certificates and Domain Validation (DV) certificates.
Until now, a CT log was required only if the certificate was intended for use in a public client. Certificates without a CT log worked in browsers but displayed warnings about untrustworthiness. As of June 1, 2026, however, all public TLS certificates must have a CT log regardless of the intended use.
How will this change affect you?
DigiCert logs all the public TLS certificates it issues into CT logs for you, and therefore no action is required on your part. The change also does not affect TLS certificates already issued, which were maintained outside CT logs until June 1, 2026.
The newly enforced CT log will only affect you if you work with internal certificates intended for private use outside of web browser environments and if you need to keep these newly issued certificates (i.e., with an issuance date from June 1, 2026) out of public CT logs even after June 1, 2026. The solution is a private PKI infrastructure, which does not require browser trust and is therefore not subject to the new Chrome requirement. However, keep in mind that PKI is only suitable for certificates that will never need the trust of external users, partners, or public internet clients.
