As pointed out by one of my engineers, there is a simpler way by doing a
simple direct query [1] in the read-only database of crt.sh. Using
Rufus' example:
SELECT get_ca_name_attribute(issuer_ca_id, 'organizationName') issuer_o,
ISSUER_CA_ID, FATAL_CERTS, ERROR_CERTS, WARNING_CERTS FROM lint_1week_summary
WHERE LINTER = 'cablint' AND ISSUER_CA_ID=52410;
Anyone can automate this process with tools they are more familiar with.
Dimitris.
[1] https://groups.google.com/forum/#!topic/crtsh/sUmV0mBz8bQ
On 28/11/2018 2:07 μ.μ., Pedro Fuentes via dev-security-policy wrote:
Hi Rufus,
I got internal server error on that link, but I really appreciate your post and
the link to code!
Pedro
El miércoles, 28 de noviembre de 2018, 8:45:42 (UTC+1), Buschart, Rufus
escribió:
To simplify the process of monitoring crt.sh, we at Siemens have implemented a
little web service which directly queries crt.sh DB and returns the errors as
JSON. By this you don't have to parse HTML files and can directly integrate it
into your monitoring. Maybe this function is of interest for some other CA:
https://eo0kjkxapi.execute-api.eu-central-1.amazonaws.com/prod/crtsh-monitor?caID=52410&daystolookback=30&excluderevoked=false
To monitor your CA, replace the caID with your CA's ID from crt.sh. In case you
receive an endpoint time-out message, try again, crt.sh DB often returns time
outs. For more details or function requests, have a look into its GitHub repo:
https://github.com/RufusJWB/crt.sh-monitor
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:[email protected]
www.twitter.com/siemens
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike,
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany;
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684;
WEEE-Reg.-No. DE 23691322
-----Ursprüngliche Nachricht-----
Von: dev-security-policy <[email protected]> Im
Auftrag von Enrico Entschew via dev-security-policy
Gesendet: Dienstag, 27. November 2018 18:17
An: [email protected]
Betreff: Re: Incident report D-TRUST: syntax error in one tls certificate
Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm:
In addition to this, would you add the following:
- Daily checks of crt.sh (or some other existing tool) if additional
such certificates are erroneously issued before the automated
countermeasures are in place?
Thank you, Jakob. This is what we intended to do. We are monitoring crt.sh at
least twice daily every day from now on.
As to your other point, we do restrict the serial number element and the error
occurred precisely in defining the constraints for this
field. As mentioned above, we plan to make adjustments to our systems to
prevent this kind of error in future.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
