Given Google's push forward on Certificate Transparency in their Chrome browser, I'm looking for options on getting IIS to play nicely with it. Theirresources for site owners says there are three methods to providing the "SCT" required to verify the certificate transparency:
- X509v3 Extension
- TLS Extension
- OCSP Stapling
Options 1 and 3 require the CA to participate, and many are not at the moment. Getting a new certificate from a participating CA that would provide option 1 is also out of the question for us due to cost.
That leaves the only option that doesn't require CA intervention: option 2. In this case we would submit our certificate to the log servers our self, and then provide the SCTs via a TLS extension. The problem is, due to the newness of all this, Windows Server / IIS doesn't appear to support it. So my two questions:
- Does anyone know if providing the SCT information via the prescribed TLS extension can be done with IIS and Windows Server as-is today?
- If not, how does one go about submitting a feature request?