You'd think a Certification Authority (CA) would take their job seriously, particularly after the disastrous news on the Comodo breakins, but that is apparently not the case.

When Tony pointed out this morning that Certigna had a key file lying around, I thought he was kidding. Unfortunately I didn't take a screen shot of the directory listing, but I found one. Here it is in all its glory.

Certigna key file

I did, however, grab the two files.

-rw-r--r--@ 1 jpm  staff  1911 May 28  2009 www.certigna.fr.crt
-rw-r--r--@ 1 jpm  staff  1087 May 28  2009 www.certigna.fr.key

The key belongs to a server certificate (the file www.certigna.fr.crt in the same directory) which has expired:

openssl x509 -in www.certigna.fr.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, O=Dhimyotis, OU=0002 481463081, CN=Certigna SSL/serialNumber=3
        Validity
            Not Before: Jul  6 20:41:45 2007 GMT
            Not After : Jul  6 20:41:45 2010 GMT
        Subject: CN=www.certigna.fr, C=FR, O=Dhimyotis, OU=0002 481463081/serialNumber=5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:af:53:39:d3:a7:2e:ba:95:6b:1f:15:5e:fc:a0:
                    72:8a:2c:ec:d8:e2:86:e7:bf:05:f3:f2:b5:5b:a4:
                    49:83:0d:d2:d5:d4:79:a5:f7:8f:86:86:81:13:f9:
                    83:7c:73:a2:80:20:ac:cd:f3:c8:95:ca:b2:96:14:
                    09:2f:f3:0d:08:bb:4b:26:ae:70:c3:0b:a4:90:d8:
                    9c:2c:7b:c6:25:a0:25:05:c9:47:ce:5b:e8:c0:8c:
                    d3:c1:2a:68:4c:8d:cf:4c:3b:57:31:5e:10:58:1f:
                    f6:df:5d:ef:1b:ab:ca:ff:0a:ea:25:53:94:d6:a2:
                    5f:23:8a:6e:33:ab:8b:c1:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment

The key file itself is encrypted with a passphrase:

Bag Attributes
    localKeyID: 46 F3 7A C0 95 A2 B1 F3 E8 B2 07 46 25 E9 0F 4F 9A 8E 17 C9 
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4B2B22A59E388F38

9apLLxgnIBAhIsc1B53GfRmZhZkhpMq37TFV0fnoSD3yBbPTkue9FrykyE+ZG6vj
...
8XaYeklqpsUnjHFPnMi6DaGrZa5ki4n7ELOkcMOksGVMV3+Eiq5mTw==
-----END RSA PRIVATE KEY-----

In spite of the key being protected, the security of this Certification Authority is disastrous, though they call themselves experts. From the Certigna Web site:

Composée d’experts reconnus, l’équipe se concentre essentiellement sur le développement de deux axes : la sécurité internet ...

They should be punished by having their CA certificate removed from Web browsers.

Update:

Flattr this
SSL, CA, and X.509 :: 09 Jun 2011 :: e-mail

Comments

blog comments powered by Disqus