Filter to:

  1. Collect a set of signed CT log server responses.
  2. Ask the underlying CA if the certificates for public trust include these responses in an SCT List extension.

When selecting this filter, configure the following settings under properties.

connection-timeout-millis

The connection timeout for the HTTP communication with the log server, in milliseconds.

Mandatory: No. This optional parameter defaults 5000 milliseconds.

ct-policy-json

The number of log server responses CA   Gateway must wait for.

CA Gateway can cope with slow running or unresponsive log servers when the number of servers configured under log-server.<i>.setting exceeds the number of required responses.

The general form of this JSON value is:

{
sct-policy:[
[<months-threshold>,<threshold-equals>,<google-min-responses>,<non-google-min-responses>]
],
insurance:<insurance>
}

See the following table for a description of each parameter.

Parameter

Value

months-threshold

The applicability of the sct-policy policy according to the certificate lifetime, as a number of months. When defining multiple policies, this value determines which policy to apply for issuing a certificate. On the other hand, specifying a high value ensures this policy applies to all certificates issued.

threshold-equals

true for comparing the months-threshold and the actual certificate lifetime with the equals operator ('='); false for comparing with the less than or equals operator ('<=').

google- min- responses

The minimum number of Google-compatible log server responses to include in the issued certificate.

non-google- min-responses

The minimum number of non-Google-compatible log server responses to include in the issued certificate.

insurance

The number of log server responses to collect above the following minimum:

google-min-responses + non-google-min-responses

Mandatory: No. This optional parameter defaults to:

{
sct-policy:[
[39,true,0,1]
],
insurance:0
}

In the configuration, you can flatten this default value to:

{sct-policy:[[38,true,0,1]],insurance:0}

log-server.<i>.<setting>

The settings of each log server CA Gateway must contact to request the signed CT response. Therefore, you must define at least one server, with <i> starting a 0.

<setting>

Value

name

A friendly name for the log server. For example: "Google Log Server".

url

The URL of the log server

google

True if the SCTs produced by this log server are Google Chrome compatible.

public-key

The public key of the log server, as a Base64 DER-encoded public key. Log servers typically advertise their keys publicly.

tls-trust-anchor

The trust anchor for the CT Filter to perform the TLS handshake with the log server, as a Base64 DER-encoded certificate.

Mandatory: Yes.

proxy-host-name

The hostname of the proxy for accessing the CA server.

The proxy configured using this parameter is part of your corporate infrastructure; it is not an Entrust product. 

Mandatory: Only when traffic to the CA server passes through a proxy. 

proxy-port

The port for accessing the proxy.

Mandatory: Only when traffic to the CA server passes through a proxy.

socket-timeout-millis

The TCP Socket timeout for the HTTP communication with the log server, in milliseconds.

Mandatory: No. This optional parameter defaults 5000 milliseconds.