Sample Code: End-to-End Certificate Transparency requests on ADCS CA
Published Jan 24 2020 02:10 PM 3,391 Views

First published on TECHNET on Dec 12, 2018
Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.

Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 ( ). For this to work end-to-end, the component submitting the request to the ADCS CA must submit the returned precertificate to a suitable set of Certificate Transparency Logs using the RFC 6962 protocol, aggregate the results as a SignedCertificateTimestampList, and return it to the ADCS CA for X.509 issuance.

Since release, we’ve received a number of requests for sample code to speak the RFC 6962 protocol between the CA and the CT Logs. Here is an unofficial sample to get you started with precertificate submission. It is released as-is with the usual caveats.

Sample code:
Sample.sln code breakdown:

    • SampleLibrary.csproj: library containing a simple ILogClient and implementation, which speaks the RFC 6962 protocol for adding certificates & precertificates, as well as preparing the SignedCertificateTimestampList object.


    • ConsoleApp.csproj: simple console app illustrating an ADCS CA CT enrollment end-to-end, utilizing SampleLibrary.csproj for Certificate Transparency interactions.

To use:

    1. Register your ADCS CA certificate's root with the CT Log to be used.


    1. Enable the Certificate Transparency feature on your ADCS CA and restart the CA service as follows:

        1. certutil.exe -setreg CA\CertificateTransparencyFlags 0x1

        1. net stop certsvc

        1. net start certsvc


    1. Open Sample.sln in Visual Studio.


    1. Verify it builds.


    1. Run ConsoleApp.exe passing in the ADCS CA config string and the CT Log URI, for example:

        1. ConsoleApp.exe {ServerName}\{CAName}

Happy coding…


Version history
Last update:
‎Feb 21 2020 06:01 AM
Updated by: