Adam Wasserman <ad...@adamwasserman.net>: Jun 13 07:36AM -0700
Hi all,
I am new to cert transparency, and I don't understand something I am seeing:
I am using Cali Dog's CertStream to monitor new cert issuance and I am
seeing multiple X509LogEntries for a single host (I filtered out PreCerts).
Below are few examples of what I mean, the layout is:
hostname
source log
update type
message type
authority
fingerprint
serial number, and
I added a timestamp of when I it was read from the certstream
The host, source, and CA is the same, and the fingerprint and serial number
is different. At first I thought it might be some kind of propagation
between logs, but in the example below the polled log is the same in all
three cases...
I would really like to understand what I am looking at. I was hoping
someone could take the time to explain it :)
Thx in advance,
Adam
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP
- URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers -
URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt,
03:9D:02:34:E8:E7:DF:DC:10:19:24:8A:2C:A9:93:E9:20:71:95:93,
4514A395208FD36ADB8582D9394EE1CE, 2018-06-08 18-27-20
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP
- URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers -
URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt,
06:13:3E:FB:F5:01:5D:BD:02:E9:DC:E2:05:C3:D4:38:64:03:DD:68,
D2C3635EFF70175FC53A20F09724CA65, 2018-06-08 18-27-26
zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP
- URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers -
URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt,
87:67:E5:37:67:5E:57:1A:5F:B7:C7:C5:4F:92:6F:13:1D:9E:2B:98,
DE706E2A682BBB580B63725941E49195, 2018-06-08 18-27-20
|
Alex Cohn <al...@alexcohn.com>: Jun 13 11:41AM -0500
Those are three different certificates (https://crt.sh/?id=509845763,
https://crt.sh/?id=509911866, and https://crt.sh/?id=509867989,
respectively), issued by Comodo to CloudFlare. Each covers a slightly
different set of domains - look at the "X509v3 Subject Alternative Name"
extension; they're mostly, but not entirely identical.
CloudFlare acquires certificates covering their customers' domains as part
of their Free SSL offering. They combine batches of customer domains onto
one certificate; I'm guessing this is to reduce the number of keys they
have to distribute to their edge caches. You're seeing them add/remove
domains from this certificate; since certificates are immutable, Comodo
issues and logs an entirely new certificate every time.
HTH,
Alex
p.s. Depending on your use case, I'd recommend against excluding
pre-certificates from your search - not all CAs log the final certificate
(I believe DigiCert, GoDaddy, and Amazon don't), so you'll miss some final
certificates unless a third party finds and submits them.
On Wed, Jun 13, 2018 at 9:37 AM Adam Wasserman <ad...@adamwasserman.net>
wrote:
|