To simplify the process of monitoring crt.sh, we at Siemens have implemented a
little web service which directly queries crt.sh DB and returns the errors as
JSON. By this you don't have to parse HTML files and can directly integrate it
into your monitoring. Maybe this function is of interest for some other CA:
https://eo0kjkxapi.execute-api.eu-central-1.amazonaws.com/prod/crtsh-monitor?caID=52410=30=false
To monitor your CA, replace the caID with your CA's ID from crt.sh. In case you
receive an endpoint time-out message, try again, crt.sh DB often returns time
outs. For more details or function requests, have a look into its GitHub repo:
https://github.com/RufusJWB/crt.sh-monitor
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com
www.twitter.com/siemens
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike,
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany;
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684;
WEEE-Reg.-No. DE 23691322
> -Ursprüngliche Nachricht-
> Von: dev-security-policy Im
> Auftrag von Enrico Entschew via dev-security-policy
> Gesendet: Dienstag, 27. November 2018 18:17
> An: mozilla-dev-security-pol...@lists.mozilla.org
> Betreff: Re: Incident report D-TRUST: syntax error in one tls certificate
>
> Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm:
>
> > In addition to this, would you add the following:
> >
> > - Daily checks of crt.sh (or some other existing tool) if additional
> > such certificates are erroneously issued before the automated
> > countermeasures are in place?
>
> Thank you, Jakob. This is what we intended to do. We are monitoring crt.sh at
> least twice daily every day from now on.
>
> As to your other point, we do restrict the serial number element and the
> error occurred precisely in defining the constraints for this
> field. As mentioned above, we plan to make adjustments to our systems to
> prevent this kind of error in future.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy