info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SHA-1 OCSP responder certificates
134 views
Skip to first unread message
Frank Corday
Sep 20, 2017, 5:29:00 PM9/20/17
to dev-secur...@lists.mozilla.org
On September 8, 2017, a member our team discovered that one of our OCSP responder certificates had been signed with SHA-1 with a notBefore date of May 23, 2017. We initiated an investigation and discovered that there were a total of 4 such certificates, all issued on May 23 as annual renewals to support our old SHA-1 issuing CAs until the last of the certificates issued from them has expired or been revoked and the CAs themselves can be revoked. The 4 OCSP responder certificates have been posted to CT and are available from the following URLs:
https://crt.sh/?id=201187008
https://crt.sh/?id=214252118
https://crt.sh/?id=214252119
https://crt.sh/?id=214252120
Our OCSP responses are generated on the same HSMs that host our issuing CAs, so the renewal of the OCSP signing certificates is performed using a script executed directly on the CA servers during a scheduled quarterly CA room entry. This issuance was the result of an oversight in updating that script from the one used in 2016, in order to force the non-default behavior of signing the responder certificates with a different hash than the one with which the CA itself is signed. None of our active issuing CAs, nor our offline root CAs were affected. Our offline root CAs also use delegated OCSP responder certificates, which were also renewed on the same day, but were properly signed with SHA-256. Our active SHA-256 issuing CAs sign OCSP responses directly and thus do not require responder certificates.
We are in the process of updating the OCSP responder issuing script and testing it in our test environment. We will then schedule a CA room entry to repeat this procedure to issue and deploy new SHA-256 signed certificate replacements and revoke the stated 4 certificates. We expect to complete this by the end of the month.
The last still-valid certificate expiration dates for the 4 CAs are as follows:
DVCA: October 24, 2017
OVCA: January 19, 2018
CLACA: December 10, 2018
CSCA: March 18, 2019
Based on these dates, we would anticipate revoking both DVCA and OVCA in Q1 2018, and performing one more OCSP responder renewal for CLACA and CSCA in mid-2018, for which we will use the updated SHA-256 script. As further insurance against this happening in the future, we have updated QA procedures to explicitly check the signature algorithm on OCSP responder certificate renewals when testing our quarterly CA room activities.
We appreciate the efforts of the independent researchers who have identified a variety of issues as of late, and apologize for our oversight in this instance. We also welcome any further suggestions members of the community may provide on this matter.
Best regards,
Frank Corday
Trustwave
https://crt.sh/?id=201187008
https://crt.sh/?id=214252118
https://crt.sh/?id=214252119
https://crt.sh/?id=214252120
Our OCSP responses are generated on the same HSMs that host our issuing CAs, so the renewal of the OCSP signing certificates is performed using a script executed directly on the CA servers during a scheduled quarterly CA room entry. This issuance was the result of an oversight in updating that script from the one used in 2016, in order to force the non-default behavior of signing the responder certificates with a different hash than the one with which the CA itself is signed. None of our active issuing CAs, nor our offline root CAs were affected. Our offline root CAs also use delegated OCSP responder certificates, which were also renewed on the same day, but were properly signed with SHA-256. Our active SHA-256 issuing CAs sign OCSP responses directly and thus do not require responder certificates.
We are in the process of updating the OCSP responder issuing script and testing it in our test environment. We will then schedule a CA room entry to repeat this procedure to issue and deploy new SHA-256 signed certificate replacements and revoke the stated 4 certificates. We expect to complete this by the end of the month.
The last still-valid certificate expiration dates for the 4 CAs are as follows:
DVCA: October 24, 2017
OVCA: January 19, 2018
CLACA: December 10, 2018
CSCA: March 18, 2019
Based on these dates, we would anticipate revoking both DVCA and OVCA in Q1 2018, and performing one more OCSP responder renewal for CLACA and CSCA in mid-2018, for which we will use the updated SHA-256 script. As further insurance against this happening in the future, we have updated QA procedures to explicitly check the signature algorithm on OCSP responder certificate renewals when testing our quarterly CA room activities.
We appreciate the efforts of the independent researchers who have identified a variety of issues as of late, and apologize for our oversight in this instance. We also welcome any further suggestions members of the community may provide on this matter.
Best regards,
Frank Corday
Trustwave
0 new messages