home.social

#x509 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #x509, aggregated by home.social.

  1. #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

  2. #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

  3. #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

  4. #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

  5. #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

  6. RE: infosec.exchange/@paulehoffman

    Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

    When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

    #x509 #dns #dnssec #certificate

  7. RE: infosec.exchange/@paulehoffman

    Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

    When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

    #x509 #dns #dnssec #certificate

  8. RE: infosec.exchange/@paulehoffman

    Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

    When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

    #x509 #dns #dnssec #certificate

  9. RE: abyssdomain.expert/@filippo/11

    An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.

    #ctlog #x509 #certificate

  10. RE: abyssdomain.expert/@filippo/11

    An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.

    #ctlog #x509 #certificate

  11. RE: abyssdomain.expert/@filippo/11

    An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.

    #ctlog #x509 #certificate

  12. So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

  13. So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

  14. So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

  15. So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

  16. So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

  17. % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

  18. % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

  19. % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

  20. % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

  21. % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

  22. It's been over half a year and the Internet still seems to be working.

    Here's your regular reminder that #cname in #x509 is almost always irrelevant for the validation. If someone is using it, they are doing it wrong.

  23. It's been over half a year and the Internet still seems to be working.

    Here's your regular reminder that #cname in #x509 is almost always irrelevant for the validation. If someone is using it, they are doing it wrong.

  24. It's been over half a year and the Internet still seems to be working.

    Here's your regular reminder that #cname in #x509 is almost always irrelevant for the validation. If someone is using it, they are doing it wrong.

  25. It's been over half a year and the Internet still seems to be working.

    Here's your regular reminder that #cname in #x509 is almost always irrelevant for the validation. If someone is using it, they are doing it wrong.

  26. @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.

  27. @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.

  28. @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.

  29. @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.

  30. @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.