Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://pwnedkeys.com/
Mike On Tue, Nov 26, 2024 at 10:32 AM 'Tim Hollebeek' via [email protected] <[email protected]> wrote: > Thank you Hanno for bringing this to our attention. It turns out one of > our sales engineers used this key pair to issue a certificate during a > demonstration. Since it wasn't in the blocklist, it issued. > > We have about 1.5M key pairs in our blocklist, but there are a lot of > places to look for key pairs, and we hadn't searched OpenSSL for them. We > did that today in response to your discovery. > > As an aside, I'd like to encourage people to use the RFC 9500 test keys, > where feasible, instead of generating new ones. This makes it much easier > to block test keys in a more comprehensive way. > > We have added the OpenSSL private keys that were not already present on > our key blocklist. For CAs who track external blocked keys, here is a list > of OpenSSL private keys: > > https://github.com/openssl/openssl/tree/master/test/certs. > > For general awareness, we also maintain a page where compromised private > keys may be reported: > https://problemreport.digicert.com/. > > -Tim > > > -----Original Message----- > > From: [email protected] <[email protected]> > On > > Behalf Of Hanno Böck > > Sent: Monday, November 25, 2024 10:49 AM > > To: [email protected] > > Subject: Certificate with compromised key / *.digicert-demo.com > > > > Hi, > > > > I discovered a certificate with a compromised key. While this would > usually be > > an uninteresting event, I think this one is a bit more unusual. > > > > This certificate > > https://crt.sh/?id=15456747789 > > issued by Digicert for *.digicert-demo.com uses this key (a test key > from > > OpenSSL's source code): > > https://github.com/openssl/openssl/blob/master/test/certs/leaf.key > > > > As this is a hostname that is owned by the CA itself, it makes me wonder > how > > this happened. > > > > The certificate was revoked quickly after I reported it to Digicert. > > > > -- > > Hanno Böck - Independent security researcher https://itsec.hboeck.de/ > > https://badkeys.info/ > > > > -- > > You received this message because you are subscribed to the Google Groups > > "[email protected]" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion visit > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security- > > policy/20241125164859.326b3b7d%40computer. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SN7PR14MB6492725DDF463B136D208B23832F2%40SN7PR14MB6492.namprd14.prod.outlook.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqvF7d7UMkLb2LHETiJw_0yx%3DRHk5JKpeuGZ1hXN48U7Yg%40mail.gmail.com.
