CA/Browser Forum
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
CA/Browser Forum
Version 1.6.7
Ryan Sleevi sleevi
Absolutely terrible SQL queries against crt.sh to generate the links and nodes of the Mozilla Trusted CA Certificate graph.
It's SQL, it should be obvious ;)
You can connect to https://crt.sh via psql using the following:
psql -h crt.sh -p 5432 -U guest certwatch
sleevi
/ 2020-07-01-results.txt
Last active
July 2, 2020 01:57
OCSP Delegated Responders without nocheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| certificate_id | ca_id | parent_ca_id | parent_name | validity | revoked | |
| ----------------+--------+--------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+--------- | |
| 2329203344 | 156182 | 134884 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root E46 | 2029-04-10 00:00:00 | f | |
| 2220986544 | 153121 | 134883 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root R46 | 2029-04-10 00:00:00 | f | |
| 2392141070 | 157937 | 36 | C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA |
Similar to my advice regarding OCSP Stapling for servers/server developers, based on questions I've received about "CT best practices," I wanted to write something similar for those writing server software. That is, this isn't targeted at server operators, but for those writing software like Apache, nginx, Caddy, etc.
At the most basic level, the deployment of Certificate Transparency to date has largely tried to focus the burden on CAs, rather than on server developers. If the CA is doing everything right,
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [req] | |
| default_bits = 2048 | |
| default_md = sha256 | |
| string_mask = utf8only | |
| prompt = no | |
| encrypt_key = no | |
| distinguished_name = @req_dn | |
| x509_extensions = @req_ext | |
| [req_dn] |
sleevi
/ corbin-dallas-multipath.sql
Created
June 23, 2020 02:53
Useful scripts for crt.sh path hacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT DISTINCT | |
| ca.ID, | |
| (coalesce(ca.NUM_ISSUED[1],0) - coalesce(ca.NUM_EXPIRED[1], 0)) as unexpired, | |
| COUNT(DISTINCT c.ISSUER_CA_ID) as paths, | |
| ca.NAME | |
| FROM | |
| ca | |
| INNER JOIN ca_certificate AS ca_c | |
| ON ca.ID = ca_c.CA_ID | |
| INNER JOIN certificate AS c |
sleevi
/ ocsp-stapling.md
Last active
February 21, 2024 14:20
On Twitter the other day, I was lamenting the state of OCSP stapling support on Linux servers, and got asked by several people to write-up what I think the requirements are for OCSP stapling support.
-
Support for keeping a long-lived (disk) cache of OCSP responses.
This should be fairly simple. Any restarting of the service shouldn't blow away previous responses that were obtained. This doesn't need to be disk, just stable - and disk is an easy stable storage for most server