Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing that for a large number of certificates acceptable Rob?
I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any Purpose : Yes', there were only a few thousand that verified, so I just checked those and found 551 not in crt.sh. (The *vast* majority are code signing certificates, many are individual apple developer certificates) Is this useful? if not, what key usage is interesting? https://lock.cmpxchg8b.com/ServerOrAny.zip Tavis. On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <[email protected]> wrote: > If you're interested in playing around with submitting them yourself, or > checking if they're already submitted, I've got some random tools for > working with CT: https://github.com/alex/ct-tools > > Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what you > want. It's all serial, so for 8M certs you probably want to Bring Your Own > Parallelism (I should fix this...) > > Alex > > On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy < > [email protected]> wrote: > >> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote: >> >>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote: >>> >> <snip> >> >>> Is there an easy way to check which certificates from my set you're >>>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs >>>> for fuzzing). >>>> >>>> I collected these from public sources, so can just give you my whole >>>> set if you already have tools for importing them and don't mind >>>> processing them, I have around ~8M (mostly leaf) certificates, the >>>> set with isCa will be much smaller. >>>> >>> >>> Please do post the whole set. I suspect there are several people on >>> this list (including myself and Rob) who have the tools and experience >>> to process large sets of certificates and post them to public >>> Certificate Transparency logs (whence they will be fed into crt.sh). >>> >>> It would be useful to include the leaf certificates as well, to catch >>> CAs which are engaging in bad practices such as signing non-SSL certs >>> with SHA-1 under an intermediate that is capable of issuing SSL >>> certificates. >>> >>> Thanks a bunch for this! >>> >> >> +1 >> >> Tavis, please do post the whole set. And thanks! >> >> -- >> Rob Stradling >> Senior Research & Development Scientist >> COMODO - Creating Trust Online >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
