Skip to content

Instantly share code, notes, and snippets.

@sleevi
sleevi / 2020-07-01-results.txt
Last active Jul 2, 2020
OCSP Delegated Responders without nocheck
View 2020-07-01-results.txt
certificate_id | ca_id | parent_ca_id | parent_name | validity | revoked
----------------+--------+--------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------
2329203344 | 156182 | 134884 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root E46 | 2029-04-10 00:00:00 | f
2220986544 | 153121 | 134883 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root R46 | 2029-04-10 00:00:00 | f
2392141070 | 157937 | 36 | C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
@sleevi
sleevi / corbin-dallas-multipath.sql
Created Jun 23, 2020
Useful scripts for crt.sh path hacking
View corbin-dallas-multipath.sql
SELECT DISTINCT
ca.ID,
(coalesce(ca.NUM_ISSUED[1],0) - coalesce(ca.NUM_EXPIRED[1], 0)) as unexpired,
COUNT(DISTINCT c.ISSUER_CA_ID) as paths,
ca.NAME
FROM
ca
INNER JOIN ca_certificate AS ca_c
ON ca.ID = ca_c.CA_ID
INNER JOIN certificate AS c
@sleevi
sleevi / instructions.md
Last active Jun 23, 2020
Computing Mozilla Trusted CAs
View instructions.md

What this is

Absolutely terrible SQL queries against crt.sh to generate the links and nodes of the Mozilla Trusted CA Certificate graph.

How to use it

It's SQL, it should be obvious ;)

You can connect to https://crt.sh via psql using the following:

 psql -h crt.sh -p 5432 -U guest certwatch
@sleevi
sleevi / docs_BR.md
Last active Jan 17, 2020
Draft SC26
View docs_BR.md

CA/Browser Forum

Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

CA/Browser Forum

Version 1.6.7

View cert.cnf
[req]
default_bits = 2048
default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
distinguished_name = @req_dn
x509_extensions = @req_ext
[req_dn]
@sleevi
sleevi / for-servers.md
Created Apr 19, 2017
CT Best Practices (April 2017)
View for-servers.md

CT For Server (Developers)

Intro

Similar to my advice regarding OCSP Stapling for servers/server developers, based on questions I've received about "CT best practices," I wanted to write something similar for those writing server software. That is, this isn't targeted at server operators, but for those writing software like Apache, nginx, Caddy, etc.

At the most basic level, the deployment of Certificate Transparency to date has largely tried to focus the burden on CAs, rather than on server developers. If the CA is doing everything right,

View ocsp-stapling.md

On Twitter the other day, I was lamenting the state of OCSP stapling support on Linux servers, and got asked by several people to write-up what I think the requirements are for OCSP stapling support.

  1. Support for keeping a long-lived (disk) cache of OCSP responses.

    This should be fairly simple. Any restarting of the service shouldn't blow away previous responses that were obtained. This doesn't need to be disk, just stable - and disk is an easy stable storage for most server

You can’t perform that action at this time.