SM2 Certificate Transparency (SM2 CT)

Refer to the international Certificate Transparency mechanism,
establish the SM2 Certificate Transparency mechanism
ZoTrus work hard to build the SM2 certificate transparency ecosystem
Protect the security and trust of SM2 SSL certificate and ensure
the security of China website system

1. Refer to the international Certificate Transparency mechanism, establish the SM2 Certificate Transparency mechanism

HTTPS encryption is a must for website security. All browsers zero trust to HTTP cleartext website - directly display “Not secure” in the address bar. And how to ensure the security of SSL certificate used for HTTPS encryption, the answer is to setup certificate transparency mechanism led by Google, and it has successfully protected security of more than 7.6 billion SSL certificates in the world, effectively eliminating the maliciously or mistakenly issued SSL certificate.

At present, China is vigorously promoting the popularization of the SM2 algorithm SSL certificate and promoting the popularization of the SM2 HTTPS encryption to ensure the security of China website system. However, at present, the SM2 SSL certificate issued by China CA operators does not support the certificate transparency, because the current certificate transparency log system does not support the SM2 algorithm and the SM2 SSL certificate. How to ensure the security and trust of the SM2 SSL certificate? The answer is to learn from the international certificate transparency system and establish the SM2 certificate transparency system.

The international certificate transparent system has formed a series of ecological products since 2013 that support certificate transparency, including the certificate transparency log system for signing certificate timestamp of the SSL certificate. The browsers support certificate transparency that can verify the SCT data embedded in the SSL certificate, CA operators can issue SSL certificate embedding SCT data. In addition, the browser must trust these SSL certificates that already embedded SCT data. At present, China does not have these certificate transparency ecological products that support SM2 algorithm and SM2 SSL certificate.

To learn more about the international certificate transparency, please visit its official website:https://certificate.transparency.dev

2. ZoTrus work hard to build SM2 certificate transparency ecosystem

Richard Wang, the founder of ZoTrus Technology, has 18 years of experience in the research and development CA system and operation of international CA business. He fully recognizes that China must have the certificate transparency ecological products that support SM2 algorithm to ensure that the SM2 SSL certificate is secure and trust, otherwise China will not be able to popularize the use of SM2 SSL certificates to ensure the security of China website system. ZoTrus Technology has invested in R & D, it lasted for 15 months to successfully build the world's first certificate transparency ecosystem in October 2022 that supports SM2 algorithm, including the world's first SM2 certificate transparency log system, the world's first SM2 browser that support SM2 certificate transparency – ZT Browser, the world's first CA system that can issue SM2 SSL certificate with SM2 SCT data – ZoTrus Cloud SSL System.

ZoTrus work hard to build SM2 certificate transparency ecosystem

2.1 ZoTrus Certificate Transparency Log System

This is the world's first certificate transparency log system implemented with the SM2 algorithm and is the first to provide certificate transparency log service for the SM2 SSL certificates issued by CerSign Technology and ZoTrus Technology that it enhances the confidence and trust to the SM2 SSL certificates issued by CerSign and ZoTrus. And this system has also opened to all ZT Browser trusted CA operators to provides a free SM2 certificate transparency log service to ensure that the SM2 SSL certificates issued by these CA operators will be secure and trust.

ZoTrus SM2 Certificate Transparency Log Service only accepts SM2 algorithm SSL certificates and does not accept the RSA/ECC SSL certificates. Certificate transparency signed certificate timestamp (SCT) data uses the SM3_SM2 algorithms to implement digital signature. Browser and operating systems that do not support the SM2 algorithms will not be able to resolve the SCT data embedded in the SM2 SSL certificate normally, then, of course, can’t verify the SCT data in the SM2 SSL certificate.

There are three ZoTrus SM2 Certificate Transparency Log System have deployed: https://log.sm2ct.cn, https://sm2ct.cersign.cn, https://log.sm2ct.com, located at JD Cloud Guangzhou node, Tencent Cloud Guangzhou node, China Telecom TianyiCloud Guizhou node. These 3 deployed ZoTrus SM2 Certificate Transparency Log System are included and trusted by ZT Browser.

To learn more about the SM2 Certificate Transparency, please visit the official website:https://sm2ct.com

2.2 ZoTrus Cloud SSL System

This is the world's first CA system that can issue SM2 SSL certificate that supports the SM2 certificate transparency. Each SM2 SSL certificate issued includes ZT Browser trusted SCT data, to guarantee each SM2 SSL certificate is trustworthy and protecting against SSL man-in-the-middle attacks.

As shown in the figure on the left below, ZT Browser views the certificate transparency log data contained in the SM2 SSL certificate issued by ZoTrus Cloud SSL system, and it does not parse the log data like Google Chrome. However, if you download the SSL certificate and use the Windows Certificate Viewer to view it, as shown in the figure on the right below, it identifies that this SM2 SSL certificate contains the SCT List field, and it can display most of the important information in the SCT data normally, but the signature algorithm of the SCT data cannot be identified.

SCT List SCT List

As shown in the figure on the left below, Certificate Transparency (SM2, 3) indicates that this website has been submitted to 3 SM2 Certificate Transparency Log Systems, two ZoTrus SM2 Certificate Transparency Log Systems and one CerSign SM2 Certificate Transparency Log System, e.g. ZoTrus ‘SM2CTcn2024’, the first part is the name of the CT log provider, and the last part is the name of the CT log system. You can continue to click “Learn more” to learn more about what the certificate transparency icon means.

Certificate Transparency Certificate Transparency

Another important feature of ZoTrus Cloud SSL system is that it automatically issues a globally trusted ECC algorithm SSL certificate bound with the same domain name and identity information for each issued SM2 SSL certificate, which contains international certificate transparency log data, and ZT Browser will display the certificate transparency information of this ECC SSL certificate, as shown in the figure on the right above, showing that this ECC SSL certificate is logged by Google Log System and Cloudflare Log System for international certificate transparency log service.

ZoTrus Cloud SSL System is a dual-algorithm SSL certificate issuance system, which automatically issues dual SSL certificates for ZoTrus Gateway and cloud service, realizes dual-algorithm adaptive encryption, meets the actual application needs of customers to support all browsers, and realizes China cryptography compliance and global trust.

2.3 ZT Browser

This is the world's first SM2 browser that support the SM2 Certificate Transparency. The world's first browser that verify the SM2 certificate transparency SCT data embedded in the SM2 SSL certificate in real time. ZT Browser has included and trust the three SM2 certificate transparency log servers that have deployed by ZoTrus Technology, and display “Certificate Transparency” and display the SM2 certificate transparency log details contained in the certificate, as it shows in the left figure below. If the website has deployed an SM2 SSL certificate that is trusted by ZT Browser but does not embed the SCT data, it will display “Certificate NOT Transparency”.

ZT Browser ZT Browser

ZT Browser plans to adopt the same certificate transparency strategy as Google Chrome when appropriate. If the SM2 SSL certificate that does not embed ZT Browser trusted SCT data, then ZT Browser will display “Not secure” in the address bar. That is the same warning page for certificate transparency in the open-source Chromium code, clearly reminds the user that the SM2 SSL certificate has not been publicly disclosed using the certificate transparency policy that it is for ensuring that this SM2 SSL certificate is trustworthy and protects against attackers.

ZT Browser

Welcome to download for free and use the world's first completely free SM2 browser – ZT Brrowser that supports the SM2 Certificate Transparency.

3. Protect the security and trust of SM2 SSL certificate and ensure the security of China website system

The three SM2 certificate transparency ecosystem products innovative created by ZoTrus Technology are ZoTrus SM2 Certificate Transparency Log System, ZoTrus Cloud SSL System, ZT Browser. This is China's first SM2 Certificate Transparency ecological products, which effectively guarantees the security and trust of the SM2 SSL certificate, so as to ensure the security and controllability of China's website system.

Be Prepared, Plan Ahead! Be prepared for danger in times of peace, take precautions!