ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

What Does ERR_CERTIFICATE_TRANSPARENCY_REQUIRED Mean?

ERR_CERTIFICATE_TRANSPARENCY_REQUIRED is an SSL/TLS error that occurs when a website's SSL certificate does not comply with Certificate Transparency (CT) requirements. Certificate Transparency is a security framework that requires all publicly trusted SSL certificates to be logged in public, append-only CT logs, making certificate issuance transparent and auditable.

Google Chrome has enforced Certificate Transparency for all certificates issued after April 2018. This means every SSL certificate must include Signed Certificate Timestamps (SCTs) proving it was logged in at least two independent CT logs. Without these SCTs, Chrome will reject the certificate and display this error.

Certificate Transparency was designed to detect mis-issued and fraudulent certificates quickly. By requiring all certificates to be publicly logged, domain owners can monitor CT logs for unauthorized certificates issued for their domains. This system has already helped discover several cases of CAs improperly issuing certificates, significantly improving the overall security of the certificate ecosystem.

Common Causes

The most common cause is a certificate issued by a CA that does not properly submit certificates to CT logs. Reputable public CAs automatically log certificates, but some smaller or private CAs may not comply with CT requirements. If your CA does not include SCTs in the certificate or via OCSP stapling, this error will appear in Chrome.

Private or internal CAs used in enterprise environments typically do not submit to CT logs (and are not required to). However, if these internal CA certificates are not properly configured as trusted in the browser's certificate store, Chrome may apply public CT requirements to them, causing this error. Enterprise environments must configure Chrome's CertificateTransparencyEnforcementDisabledForCas policy for internal CAs.

Older certificates issued before CT enforcement (pre-April 2018) that are still valid may not have SCTs. While most CAs retroactively logged their certificates, some may have been missed. Additionally, server misconfiguration that strips SCT extensions from the TLS handshake, or OCSP stapling failures that prevent SCT delivery via OCSP, can trigger this error.

Step-by-Step Fix

For website visitors: This error typically requires the website administrator to fix. Clear your browser cache and try again, as the issue may have been recently resolved. If you are in an enterprise environment, contact your IT department - they may need to configure a CT policy exception for internal certificates. Ensure your browser is up to date.

For website administrators: Contact your Certificate Authority and request a certificate that includes SCTs (Signed Certificate Timestamps). Most reputable CAs like Let's Encrypt, DigiCert, and Comodo automatically include SCTs. If your CA does not support CT, switch to one that does. Enable OCSP stapling on your server as an alternative SCT delivery mechanism.

For enterprise environments using private CAs, configure the Chrome enterprise policy CertificateTransparencyEnforcementDisabledForCas to exempt your internal CA. This can be set via Group Policy on Windows or managed preferences on macOS. For Linux Chrome, use the /etc/opt/chrome/policies/ directory. Test your certificate's CT compliance with online SSL testing tools that check for SCT presence.

Related SSL Errors