Certificate transparency required

What it means

Certificate Transparency is a public, append-only record of issued certificates that makes mis-issuance easier to catch. Chrome and other browsers require publicly trusted certificates to come with proof they were logged, in the form of signed certificate timestamps. NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED means that proof is missing or insufficient, so the browser won't trust the certificate even if it's otherwise valid.

When it happens

This affects certificates issued without proper CT log entries, which can happen with a misconfigured or non-compliant CA, or with a certificate that predates the CT requirement and is still in use. It can also appear when an intercepting proxy re-signs traffic with certificates that were never logged, which is exactly the kind of interception CT is designed to expose.

How to fix it

1. 1Reissue the certificate from a CA that submits to Certificate Transparency logs and embeds the signed timestamps.
2. 2Confirm the served certificate actually carries valid SCTs after reissuing.
3. 3If an enterprise proxy is re-signing traffic, make sure its certificates are CT-compliant or scoped so they don't break public sites.
4. 4Replace any old certificate issued before CT enforcement with a compliant one.