[ALUG] Fwd: Distrusting New WoSign and StartCom Certificates | Mozilla Security Blog
Andreas Tauscher
ta at geuka.net
Thu Nov 10 16:32:37 EAT 2016
On 09.11.2016 19:45, Ismail Settenda via Linux wrote:
> F.Y.I
>
>>>>
> Some on this list may find this interesting:
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
Was here a month ago.
Certificates with a notBefore date after October 21, 2016 and chaining
to the following root certificates:
* CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
* CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
* CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited,
C=CN
* CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
* CN=StartCom Certification Authority, OU=Secure Digital Certificate
Signing, O=StartCom Ltd., C=IL
* CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
And any SHA1 certificate. But all SHA1 certificates from any CA are
anyway removed 2017.
I'm now removing now all StartSSL and WoSign certificates and replacing
them with LetsEncrypt certificates.
LetsEncrypt is really working fine.
The only thing what now sucks a little bit is that I have to write some
scripts to update and rotate the TLSA records for DANE in the DNS.
But PowerDNS 4 has now a nice API for creating and updating records.
Making this seriously more easy :)
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20161110/9e9699b9/attachment-0001.pgp>
More information about the Linux
mailing list