Thank you Hanno for bringing this to our attention. It turns out one of our sales engineers used this key pair to issue a certificate during a demonstration. Since it wasn't in the blocklist, it issued.
We have about 1.5M key pairs in our blocklist, but there are a lot of places to look for key pairs, and we hadn't searched OpenSSL for them. We did that today in response to your discovery. As an aside, I'd like to encourage people to use the RFC 9500 test keys, where feasible, instead of generating new ones. This makes it much easier to block test keys in a more comprehensive way. We have added the OpenSSL private keys that were not already present on our key blocklist. For CAs who track external blocked keys, here is a list of OpenSSL private keys: https://github.com/openssl/openssl/tree/master/test/certs. For general awareness, we also maintain a page where compromised private keys may be reported: https://problemreport.digicert.com/. -Tim > -----Original Message----- > From: [email protected] <[email protected]> On > Behalf Of Hanno Böck > Sent: Monday, November 25, 2024 10:49 AM > To: [email protected] > Subject: Certificate with compromised key / *.digicert-demo.com > > Hi, > > I discovered a certificate with a compromised key. While this would usually be > an uninteresting event, I think this one is a bit more unusual. > > This certificate > https://crt.sh/?id=15456747789 > issued by Digicert for *.digicert-demo.com uses this key (a test key from > OpenSSL's source code): > https://github.com/openssl/openssl/blob/master/test/certs/leaf.key > > As this is a hostname that is owned by the CA itself, it makes me wonder how > this happened. > > The certificate was revoked quickly after I reported it to Digicert. > > -- > Hanno Böck - Independent security researcher https://itsec.hboeck.de/ > https://badkeys.info/ > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security- > policy/20241125164859.326b3b7d%40computer. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SN7PR14MB6492725DDF463B136D208B23832F2%40SN7PR14MB6492.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
