You'd think a Certification Authority (CA) would take their job seriously, particularly after the disastrous news on the Comodo breakins, but that is apparently not the case.
When Tony pointed out this morning that Certigna had a key file lying around, I thought he was kidding. Unfortunately I didn't take a screen shot of the directory listing, but I found one. Here it is in all its glory.
I did, however, grab the two files.
-rw-r--r--@ 1 jpm staff 1911 May 28 2009 www.certigna.fr.crt -rw-r--r--@ 1 jpm staff 1087 May 28 2009 www.certigna.fr.key
The key belongs to a server certificate (the file
www.certigna.fr.crt in the same
directory) which has expired:
openssl x509 -in www.certigna.fr.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, O=Dhimyotis, OU=0002 481463081, CN=Certigna SSL/serialNumber=3 Validity Not Before: Jul 6 20:41:45 2007 GMT Not After : Jul 6 20:41:45 2010 GMT Subject: CN=www.certigna.fr, C=FR, O=Dhimyotis, OU=0002 481463081/serialNumber=5 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:53:39:d3:a7:2e:ba:95:6b:1f:15:5e:fc:a0: 72:8a:2c:ec:d8:e2:86:e7:bf:05:f3:f2:b5:5b:a4: 49:83:0d:d2:d5:d4:79:a5:f7:8f:86:86:81:13:f9: 83:7c:73:a2:80:20:ac:cd:f3:c8:95:ca:b2:96:14: 09:2f:f3:0d:08:bb:4b:26:ae:70:c3:0b:a4:90:d8: 9c:2c:7b:c6:25:a0:25:05:c9:47:ce:5b:e8:c0:8c: d3:c1:2a:68:4c:8d:cf:4c:3b:57:31:5e:10:58:1f: f6:df:5d:ef:1b:ab:ca:ff:0a:ea:25:53:94:d6:a2: 5f:23:8a:6e:33:ab:8b:c1:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: critical Digital Signature, Key Encipherment
The key file itself is encrypted with a passphrase:
Bag Attributes localKeyID: 46 F3 7A C0 95 A2 B1 F3 E8 B2 07 46 25 E9 0F 4F 9A 8E 17 C9 Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,4B2B22A59E388F38 9apLLxgnIBAhIsc1B53GfRmZhZkhpMq37TFV0fnoSD3yBbPTkue9FrykyE+ZG6vj ... 8XaYeklqpsUnjHFPnMi6DaGrZa5ki4n7ELOkcMOksGVMV3+Eiq5mTw== -----END RSA PRIVATE KEY-----
In spite of the key being protected, the security of this Certification Authority is disastrous, though they call themselves experts. From the Certigna Web site:
Composée d’experts reconnus, l’équipe se concentre essentiellement sur le développement de deux axes : la sécurité internet ...
They should be punished by having their CA certificate removed from Web browsers.