We had no notice of the revoking of a QuoVadis Global SSL ICA G3 intermediate certificate. Actually before I got the email, I saw a post on Reddit about it.
The replacement intermediate needed putting in the certificate bundle or chain of about 300 servers. But it became apparent that firefox didn’t care much about the bundled certificates anyway and would let all on. Windows Chrome users also didn’t seem purturbed. This kicked off alot of head scratching about Browsers and SSL Certification.
So in Chrome and Safari running on a Mac the bundled certificate was respected and it was a quick way of checking. But how do you check 300 servers easily?
I used openssl and various web articles to investigate OCSP and CRL – two mechanism used to verify certificates, but couldn’t script it successfully. On the evening of the day after, I saw a helpful post by Daniel Monaghan on the subject where he described an easy method to detect the certificate and he posted a script – thank-you Daniel.
So basically, pick a line of the encryped cert, and grep it:
openssl s_client -connect www.example.com:443 \
-showcerts 2>&1 </dev/null \
| grep WSr2Rz0ZiC3oheGe7IUIarFsNMkd7EgrO3jtZsSOeWmD3nStill many appliances and some windows applications couldn’t just replace the intermediate certificate and restart. The intermediate was cached somewhere obscure. We had to renew the host certificates in the end. Most troublesome was the Pulsesecure VPN. So on a MAC we had to connect using firefox (which doesn’t look at the bundled certificate).
OCSP and CRL are ways for the browsers to check the validity of certificates. Chrome is supposed to use CRL – and probably does – but it is being overridden by looking at the bundled intermediate certificate. Perhaps firefox is checking that the host certificate is valid (which it is) but seeks to ignore the bundled certificate.
Also worthy of note to help with internet facing sites was the pair of onlines tools revocationcheck.com and Qualys SSL Labs – helpful to convince others that while their browser doesn’t complain, perhaps it should !