To simplify the process of monitoring crt.sh, we at Siemens have implemented a little web service which directly queries crt.sh DB and returns the errors as JSON. By this you don't have to parse HTML files and can directly integrate it into your monitoring. Maybe this function is of interest for some other CA:
https://eo0kjkxapi.execute-api.eu-central-1.amazonaws.com/prod/crtsh-monitor?caID=52410&daystolookback=30&excluderevoked=false To monitor your CA, replace the caID with your CA's ID from crt.sh. In case you receive an endpoint time-out message, try again, crt.sh DB often returns time outs. For more details or function requests, have a look into its GitHub repo: https://github.com/RufusJWB/crt.sh-monitor With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Enrico Entschew via dev-security-policy > Gesendet: Dienstag, 27. November 2018 18:17 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: Incident report D-TRUST: syntax error in one tls certificate > > Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm: > > > In addition to this, would you add the following: > > > > - Daily checks of crt.sh (or some other existing tool) if additional > > such certificates are erroneously issued before the automated > > countermeasures are in place? > > Thank you, Jakob. This is what we intended to do. We are monitoring crt.sh at > least twice daily every day from now on. > > As to your other point, we do restrict the serial number element and the > error occurred precisely in defining the constraints for this > field. As mentioned above, we plan to make adjustments to our systems to > prevent this kind of error in future. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
