Often CA configurations and settings are complex and can be difficult to manage. We would like to remind CA operators that they need to be familiar with the configuration and operation of all aspects of CA software and ensure that they have adequate documentation and training.
For example, in April, a CA operator in the Mozilla Root Program received a post-issuance warning that a certificate with an RSASSA-PSS key had made it through the EJBCA pre-issuance check.[1][2] Apparently, “Check for RSA” on CSR input allowed an RSASSA-PSS key through because it was considered part of the RSA suite that was whitelisted. Internal documentation for CA setup did not include correct validator (pre-issuance) configuration setup. The CA operator started an investigation into why this occurred. Upon investigation the CA operator discovered that the validator had started functioning due to a configuration change occurring unbeknownst to an engineer when he clicked on save after selecting the validator in CA settings. The CA operator explained that highlighting the specific validator was an additional required step after adding a certificate profile in the validator settings. This additional step was not clearly stated in the CA software manual. The vendor has explained that this misunderstanding was due to the fact that validators need to be enabled on a certificate-profile basis, in order to allow the same CA to host multiple profiles without validators conflicting with each other. As certificate profiles can be shared amongst multiple CAs, the validator needs to be selected there as well. The vendor also recommends that CA operators use the provided human readable configuration export tool to run and diff after upgrades and configuration changes to verify that nothing unintended has changed. In summary, the general purpose of this email is to urge all CA operators to be familiar with configuration processes of the CA software that they use, and specifically to alert users of EJBCA to the procedural measures described above. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1630870 [2] EJBCA software by Primekey has a pre-issuance “validator” system for keys, amongst which an external validator to run linters. See https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/post-processing-validators _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
