When it comes to certificates, mess-ups happen frequently in big companies. When I worked at IBM, I initially had the responsibility for obtaining and renewing the code signing certificate for a Java applet that we used in our product. I handed off the responsibility to another employee when I left that group.
I was on vacation in the middle of nowhere when I got a panicked call from the product manager asking me to renew the certificate as the employee had quit. I had to spend half a day walking someone through the renewal process - ruined my day.
I have certificate related horror stories from projects in the past. It takes a long time to train people to care for all the details and renewals. I spent weeks trying to get an upset client to understand that they messed up CSRs and have to ask the CA to issue new ones. The client refused to accept the simple fact that they made a mistake an wanted an exception to how PKI works.
i'm sure that i've spent a large part of my time trying to figure out why certs weren't working, converting them from one format to another and randomly having to try things until they work.
just today i had to fix our internal certs because for the new ones someone forgot to include the intermediate cert in the chain, making it impossible to use a specific CLI tool. web browsers didn't complain, just the CLI sync tool :)
I feel for you, when I worked at IBM I was surprised they did not have a "known" central authority for creating/maintaining certs. We tried to find if one existed, but no luck.
In the Dept I was in, it was expected the downstream system people would create the certs, and of course I would say 85% of them did not even know what a cert is. When renewal time came, we got blank stares when we mentioned the private cert. Or the person who created the cert left and never trained their replacement. Crazy situation.
Yeah - it was pretty chaotic when I was there too. We had to use the internal purchase order system to buy certificates from a CA. It was cumbersome as it required several levels of approval. I have long since quit IBM thankfully and had forgotten all about it until I saw this post today :-)
It’s a classic story starting in the 90s. Here is one from 2002:
He learned through Slashdot, an online discussion group, that Microsoft had an outstanding $35 fee to Network Solutions (NSI) for the Passport.com Web address. The Passport site verifies user identification and passwords for access to Hotmail and about 25 other Microsoft services.
Chaney, 31, quickly paid the fee with his credit card, restoring service to Hotmail users.
i use NPM at home. tested caddy a bit but i really liked NPMs convenience of having a Web-UI. allows me to do stuff remotely on my phone without having to dive into conf files.
anyways, what i liked about caddy was how easily it handles SSL-certs, for sure makes it easier to use! :) gonna have to look into how i can give a wildcard-cert to my rev-proxy.
ah, my mistake then. i use a wildcard dns-record but separate letsencrypt-certs for every subdomain. so to truly be stealthy i'd have to use a wildcard dns-record AND a wildcard ssl-cert.
sounds like i got myself a project for this weekend, implement a wildcard cert for my rev-proxy at home :)
EDIT: i guess the logs would still show the old certs, so my subdomains would still be exposed. huh. at least future subdomains would be hidden.
EDIT2: are there more ways for subdomains to get exposed, other than through DNS or SSL-Certs?
You shouldn't beat yourself up too much. TLS is HARD and poorly documented, and implementations vary significantly between applications and vendors (and are very dumbly designed). TLS is what you get when you let someone implement technology with specific domain knowledge (encryption) but no UX abilities or a comprehensive understanding of how their solution will be used.
I had the same horrified realization a few years ago when someone explained Certificate Transparency[1] to me.
21 comments
[ 12.6 ms ] story [ 61.2 ms ] threadjust today i had to fix our internal certs because for the new ones someone forgot to include the intermediate cert in the chain, making it impossible to use a specific CLI tool. web browsers didn't complain, just the CLI sync tool :)
In the Dept I was in, it was expected the downstream system people would create the certs, and of course I would say 85% of them did not even know what a cert is. When renewal time came, we got blank stares when we mentioned the private cert. Or the person who created the cert left and never trained their replacement. Crazy situation.
I hope things changed since I left.
He learned through Slashdot, an online discussion group, that Microsoft had an outstanding $35 fee to Network Solutions (NSI) for the Passport.com Web address. The Passport site verifies user identification and passwords for access to Hotmail and about 25 other Microsoft services.
Chaney, 31, quickly paid the fee with his credit card, restoring service to Hotmail users.
https://www.cnet.com/tech/services-and-software/oregon-compa...
> Validity
> Not Before - Fri, 18 Aug 2023 02:17:43 GMT
> Not After - Thu, 27 Jun 2024 23:59:59 GMT
> Subject Alternative Name
> DNS Name - cdn.entity.osi.office.net
> DNS Name - cdn.entity.osi.officeppe.net
> DNS Name - cdn.uci.edog.officeapps.live.com
> DNS Name - cdn.uci.officeapps.live.com
> DNS Name - uci.cdn.office.net
> DNS Name - uci.edog.cdn.office.net
[1]: https://crt.sh/?id=12376893471
[1]: https://crt.sh/?id=9852030995
always thought that using *.domain.net for home-use was cool, because that way random people don't know what kinds of subdomains i use.
turns out they can find it out by just checking all the certs for my domain. well. the more you know.
anyways, what i liked about caddy was how easily it handles SSL-certs, for sure makes it easier to use! :) gonna have to look into how i can give a wildcard-cert to my rev-proxy.
sounds like i got myself a project for this weekend, implement a wildcard cert for my rev-proxy at home :)
EDIT: i guess the logs would still show the old certs, so my subdomains would still be exposed. huh. at least future subdomains would be hidden.
EDIT2: are there more ways for subdomains to get exposed, other than through DNS or SSL-Certs?
i got a wildcard-cert, implemented it on my proxy, everything works!
unfortunately, to be stealthy, i almost have to switch to a different domain. then request a new public IP, and switch.
I had the same horrified realization a few years ago when someone explained Certificate Transparency[1] to me.
[1] https://en.wikipedia.org/wiki/Certificate_Transparency
I like.
I picked up a client with a bunch of web brands and well, you know.