First published on TECHNET on Dec 12, 2018 Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.
Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 ( https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency ). For this to work end-to-end, the component submitting the request to the ADCS CA must submit the returned precertificate to a suitable set of Certificate Transparency Logs using the RFC 6962 protocol, aggregate the results as a SignedCertificateTimestampList, and return it to the ADCS CA for X.509 issuance.
Since release, we’ve received a number of requests for sample code to speak the RFC 6962 protocol between the CA and the CT Logs. Here is an unofficial sample to get you started with precertificate submission. It is released as-is with the usual caveats.
SampleLibrary.csproj: library containing a simple ILogClient and implementation, which speaks the RFC 6962 protocol for adding certificates & precertificates, as well as preparing the SignedCertificateTimestampList object.
ConsoleApp.csproj: simple console app illustrating an ADCS CA CT enrollment end-to-end, utilizing SampleLibrary.csproj for Certificate Transparency interactions.
Register your ADCS CA certificate's root with the CT Log to be used.
Enable the Certificate Transparency feature on your ADCS CA and restart the CA service as follows: