Precertificate Signing Certificates and Where to Find Them

[Filippo Valsorda]

Hello fellow mortals,

A few weeks ago I collected some data on the prevalence of Precertificate Signing Certificates. At the time my interest was in simplifying X.509 chain validation for CT log implementations, to help converge on stock X.509 validators. But also, Precertificate Signing Certificates are just a pain to reason about and implement. In light of the recent log-killing bug, I figured it would be useful to share this data.

The full list of unexpired non-testing Precertificate Signing Certificate Subjects is below, along with the crt.sh SQL query I used to retrieve it. I then looked up unexpired certificates on crt.sh for the parent of each of those. (Please do double-check my work! And thank you to crt.sh!)

In short, there seem to be only two CA operators that use Precertificate Signing Certificates: VikingCloud and NETLOCK. Only three of those intermediates have issued more than 100 unexpired certificates (1, 2, 3), and in total they issued less than 1,500 unexpired certificates. If my math is right, that's less than 0.0002% of the WebPKI.

IMHO, Precertificate Signing Certificates ain't carrying their weight.

Cheers,

Filippo

---

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK OnlineSSL CTCA

CN=Trustwave OV SHA256 Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

CN=Trustwave DV SHA256 Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

CN=Trustwave Secure Global EV Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

CN=Trustwave XRamp Global EV Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust Qualified EV CTCA

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Domain Validated CTCA

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust Qualified EV 2 CTCA

CN=Trustwave Global EV P-256 Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

CN=Trustwave Global EV Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

CN=Trustwave Global EV P-384 Pre-Certificate CA, O="Trustwave Holdings, Inc.", L=Chicago, ST=Illinois, C=US

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust EV CTCA 2

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust Qualified EV 3 CTCA

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust Qualified EV 3 CTCA

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust EV CTCA 3

C=HU, L=Budapest, O=NETLOCK Ltd., CN=NETLOCK Trust EV CTCA 3

C=HU, L=Budapest, O=NETLOCK Kft., CN=NETLOCK DVSSL CTCA

C=US, ST=Michigan, L=Southfield, O="Viking Cloud, Inc.", CN=Viking Cloud EV Pre-Certificate CA

C=US, ST=Michigan, L=Southfield, O="Viking Cloud, Inc.", CN=Viking Cloud OV Pre-Certificate CA

C=US, ST=Michigan, L=Southfield, O="Viking Cloud, Inc.", CN=Viking Cloud DV Pre-Certificate CA

C=HU, L=Budapest, O=NETLOCK Kft., CN=NETLOCK TLS Qualified EV ECC CTCA, organizationIdentifier=VATHU-12201521

C=HU, L=Budapest, O=NETLOCK Kft., CN=NETLOCK TLS DV ECC CTCA, organizationIdentifier=VATHU-12201521

C=HU, L=Budapest, O=NETLOCK Kft., CN=NETLOCK TLS EV ECC CTCA, organizationIdentifier=VATHU-12201521

C=HU, L=Budapest, O=NETLOCK Kft., CN=NETLOCK TLS OV ECC CTCA, organizationIdentifier=VATHU-12201521

C=US, O="Viking Cloud, Inc.", CN="VikingCloud TWG PRE DV CA, Level 2"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud TWG PRE OV CA, Level 1"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud TWG PRE EV CA, Level 1"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud SG PRE EV CA, Level 1"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud XG PRE EV CA, Level 1"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud TWG PRE P2 EV CA, Level 1"

C=US, O="Viking Cloud, Inc.", CN="VikingCloud TWG PRE P3 EV CA, Level 1"

SELECT c.ID, cac.CA_ID, c.ISSUER_CA_ID, x509_subjectName(c.certificate),

    FROM ca_certificate cac, certificate c, x509_extkeyusages(c.certificate) AS eku

    WHERE cac.CERTIFICATE_ID = c.ID

    AND c.ISSUER_CA_ID != 1533 AND eku = '1.3.6.1.4.1.11129.2.4.4'

    AND coalesce(x509_notAfter(CERTIFICATE), 'infinity'::timestamp) > '2025-01-01T00:00:00'::timestamp;