Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes

Disables enforcing Certificate Transparency requirements for a list of subjectPublicKeyInfo hashes.

This policy allows disabling Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used for Enterprise hosts.

In order for Certificate Transparency enforcement to be disabled when this policy is set, one of the following conditions must be met:
1. The hash is of the server certificate's subjectPublicKeyInfo.
2. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute.
3. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Example value:

sha256/AAAAAAAAAAAAAAAAAAAAAA==
sha256//////////////////////w==


Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas
Value Name{number}
Value TypeREG_SZ
Default Value

chrome.admx

Administrative Templates (Computers)

Administrative Templates (Users)