Newbie questions about the cert logs

175 views
Skip to first unread message

Adam Wasserman

unread,
Jun 13, 2018, 10:37:34 AM6/13/18
to certificate-transparency

Hi all,

I am new to cert transparency, and I don't understand something I am seeing:

I am using Cali Dog's CertStream to monitor new cert issuance and I am seeing multiple X509LogEntries for a single host (I filtered out PreCerts).

Below are few examples of what I mean, the layout is:
hostname
source log
update type
message type
authority
fingerprint
serial number, and
I added a timestamp of when I it was read from the certstream

The host, source, and CA is the same, and the fingerprint and serial number is different. At first I thought it might be some kind of propagation between logs, but in the example below the polled log is the same in all three cases...

I would really like to understand what I am looking at. I was hoping someone could take the time to explain it :)

Thx in advance,
Adam

zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 03:9D:02:34:E8:E7:DF:DC:10:19:24:8A:2C:A9:93:E9:20:71:95:93, 4514A395208FD36ADB8582D9394EE1CE, 2018-06-08 18-27-20

zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 06:13:3E:FB:F5:01:5D:BD:02:E9:DC:E2:05:C3:D4:38:64:03:DD:68, D2C3635EFF70175FC53A20F09724CA65, 2018-06-08 18-27-26

zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 87:67:E5:37:67:5E:57:1A:5F:B7:C7:C5:4F:92:6F:13:1D:9E:2B:98, DE706E2A682BBB580B63725941E49195, 2018-06-08 18-27-20

Alex Cohn

unread,
Jun 13, 2018, 12:42:36 PM6/13/18
to certificate-...@googlegroups.com
Those are three different certificates (https://crt.sh/?id=509845763https://crt.sh/?id=509911866, and https://crt.sh/?id=509867989, respectively), issued by Comodo to CloudFlare. Each covers a slightly different set of domains - look at the "X509v3 Subject Alternative Name" extension; they're mostly, but not entirely identical. 

CloudFlare acquires certificates covering their customers' domains as part of their Free SSL offering. They combine batches of customer domains onto one certificate; I'm guessing this is to reduce the number of keys they have to distribute to their edge caches. You're seeing them add/remove domains from this certificate; since certificates are immutable, Comodo issues and logs an entirely new certificate every time. 

HTH,
Alex

p.s. Depending on your use case, I'd recommend against excluding pre-certificates from your search - not all CAs log the final certificate (I believe DigiCert, GoDaddy, and Amazon don't), so you'll miss some final certificates unless a third party finds and submits them.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/c8669aee-6ced-4de5-ba90-5b4cb7785e3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adam Wasserman

unread,
Jun 20, 2018, 11:07:04 AM6/20/18
to certificate-transparency
Alex,

Thank you very much! Great answer, super clear.

Best,
Adam
Reply all
Reply to author
Forward
0 new messages