> On 30 Jun 2016, at 23:10, Andrew Ayer <a...@andrewayer.name> wrote:
> On Thu, 30 Jun 2016 22:36:19 +0200
> Christiaan Ottow <cot...@computest.nl> wrote:
>> We acquired certificates for a private domain (and some subdomains)
>> of the tester in question, and one for our domain pine.nl. Details of
>> the latter are attached, with the modulus and signature left out. The
>> SHA256 fingerprint of the certificate is:
>> A7:E5:BD:6E:81:8F:A8:CE:FD:73:97:32:70:06:89:59:98:86:33:5A:06:7E:FD:ED:EA:B6:19:B3:3F:67:F6:A1
> Thanks.  There's no SCT extension, despite StartCom claiming to embed
> SCTs in all certificates they issue.  Also, the cert was issued over a
> week ago, so even if StartCom was logging post-issuance the cert should
> have been logged by now.
> I would like to hear StartCom explain this as well.
> Regards,
> Andrew

If you plan on checking CT logs, make sure to check WoSign-signed certs as 
well. The "caID" parameter in the POST request to the StartEncrypt API allows 
you to select which CA will sign you certificate. The default, "2", makes that 
your request is signed by "StartCom Class 1 DV Server CA", "1" selects "WoSign 
CA Free SSL Certificate G2" and "0" selects "CA 沃通根证书". Perhaps the 
certificates are being logged into a different CT audit server because of this 

We selected "1" for a test certificate last week, and the certificate we 
obtained was dated 20 December 2015, and signed using a SHA-1 checksum. I've 
attached the certificate (excluding modulus and signature). The checksum 
(SHA256) of the full cert is 

Kind regards,

Christiaan Ottow
CTO Security

Computest • Pine Digital Security
M: +31 (0) 6 51997213 • T: +31 (0) 88 7331337
E: cot...@computest.nl • I: www.computest.nl  
A: Signaalrood 25 • 2718 SH Zoetermeer
P: https://www.pine.nl/4eo3UYWmU.asc
Pine Digital Security is part of Computest
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2
            Not Before: Dec 20 01:27:28 2015 GMT
            Not After : Dec 29 16:00:00 2016 GMT
        Subject: CN=startssl9.s.xnyhps.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

            Authority Information Access:
                OCSP - URI:http://ocsp1.wosign.com/ca6/server1/free
                CA Issuers - URI:http://aia1.wosign.com/ca6.server1.free.cer

            X509v3 CRL Distribution Points:

            X509v3 Subject Alternative Name:
            X509v3 Certificate Policies:
                  CPS: http://www.wosign.com/policy/

    Signature Algorithm: sha1WithRSAEncryption

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to