[cabfpub] Test Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jan 27 18:37:14 UTC 2017


Based on the recent post about Symantec's test certificates, we ran a
comprehensive review through crt.sh on certificates issued for "testing
purposes" that violate the baseline requirements in some manner, generally
through inclusion of incorrect O information or through an internal name in
the subjectAltName or CN. 

 

Here's what we found that chain to a DigiCert operated root:

 



 

We've requested that Verizon revoke each of these certificates and put in
place policies and procedures that ensure this does not happen again.
Verizon has already revoked two certificates. We're waiting to hear back
from them about the remaining 26.

 

Here's a general summary of what we found for the rest of the CAs. Details
on the certs are being sent to the CA running the infrastructure:


Row Labels

Count of Issuer Name


C=US, O=Oracle Corporation, OU=Symantec Trust Network, CN=Oracle SSL CA - G2

533


C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3
Secure Server CA - G4

70


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer CA G14-SHA2

23


C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 3 MPKI
Secure Server CA, CN=Oracle SSL CA

12


C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2014
Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority
- L1M

11


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer EV SSL CA G14-SHA2

3


C=CH, O=SwissSign AG, CN=SwissSign Server Gold CA 2008 - G2

2


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureCodeSign CA G14-SHA2

2


O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International
Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign

2


C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at
https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure Server CA -
G2

2


C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

1


C=CH, O=SwissSign AG, CN=SwissSign EV Gold CA 2014 - G22

1


C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification
Services Division, CN=Thawte Premium Server CA,
emailAddress=premium-server at thawte.com
<mailto:emailAddress=premium-server at thawte.com> 

1


Grand Total

663

 

This is by no means comprehensive as we simply searched for certificates
labeled as "test" certificates in the identity. Let me know if you have
questions. I sent this only to the CAB Forum mailing list of now, although
I'm happy to share it with the Mozilla dev policy list as well.

 

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170127/2f25da99/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2020923 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170127/2f25da99/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170127/2f25da99/attachment-0001.bin>


More information about the Public mailing list