1374809 - Leaked private key for Cisco cert

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Kathleen Wilson]

Cisco leaked the private key to one of their certs. It has been revoked, and we should probably add it to OneCRL.

Report:
https://groups.google.com/d/msg/mozilla.dev.security.policy/T6emeoE-lCU/-k-A2dEdAQAJ

Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672
DNS names: drmlocal.cisco.com <http://drmlocal.cisco.com/>
Issued by: HydrantID SSL ICA G2

Comment 1

[Dana Keeler (she/her) [:keeler]]

It might be a good idea to revoke this by subject/public key since part of why this is particularly bad is the private key was disclosed.

Comment 2

[Kathleen Wilson]

Stephen, 
Has the CRL been updated? 
Is http://crl.quovadisglobal.com/qvrca2.crl the correct CRL?

Would you also please attach the PEM of the cert?

Comment 3

[Stephen Davidson]

Hi Kathleen:
Certificate serial ‎66:17:0c:e2:ec:8b:7d:88:b4:e2:eb:73:2e:73:8f:e3:a6:7c:f6:72 was revoked ‎Sunday, ‎June ‎18, ‎2017 11:57:00 AM for Key Compromise (1).
The Issuing CA CRL is http://crl.quovadisglobal.com/hydsslg2.crl 
Regards, Stephen

-----BEGIN CERTIFICATE-----
MIIGJzCCBA+gAwIBAgIUZhcM4uyLfYi04utzLnOP46Z89nIwDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxMDAuBgNVBAoTJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl
IENsb3VkIENvcnBvcmF0aW9uKTEdMBsGA1UEAxMUSHlkcmFudElEIFNTTCBJQ0Eg
RzIwHhcNMTYxMTE2MTE1NjUxWhcNMTgxMTE2MTE1NjQ2WjBoMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNj
byBTeXN0ZW1zLCBJbmMuMRswGQYDVQQDExJkcm1sb2NhbC5jaXNjby5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC97HbzNlk1Co7c77iPCiLv8P23
SYwgITjyAQK++i0/JT5ws28OzKQzVW+1xfMqaNAxLZfONyI/iKIYspHQMuq4cQx9
olAwBSLrWnqLLfYmqPdqzY5Zm5Yk+uFwPQ/4hdQAZX8vIhqKPvCLgwiMMOgcQVxQ
x0PWqlUiKsBIIUMZg0aybLJp9Ap/74VkG14BV+DcFEnDe8X5+LayElt7AmrHG53T
l/UyGh9sGscPQ1L+/OjH1dPj5q4v/8rXfPY0LkD8ULr1dT02NrRlvH/kkB4vOs+x
z+Oh6JTTyhQZPqFKS09sKtby2E40To8SkCojOoMMukt/TX6mQgEgnuxO4NvBAgMB
AAGjggHRMIIBzTB0BggrBgEFBQcBAQRoMGYwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
Y3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL3RydXN0
LnF1b3ZhZGlzZ2xvYmFsLmNvbS9oeWRzc2xnMi5jcnQwHQYDVR0RBBYwFIISZHJt
bG9jYWwuY2lzY28uY29tMF4GA1UdIARXMFUwCAYGZ4EMAQICMEkGDCsGAQQBvlgA
A4cEADA5MDcGCCsGAQUFBwIBFitodHRwOi8vd3d3Lmh5ZHJhbnRpZC5jb20vc3Vw
cG9ydC9yZXBvc2l0b3J5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMDsG
A1UdJQQ0MDIGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwUGCCsGAQUFBwMG
BggrBgEFBQcDBzAfBgNVHSMEGDAWgBSYarYtLr+nqp/299YJr9WLV/mKtzA7BgNV
HR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9oeWRz
c2xnMi5jcmwwHQYDVR0OBBYEFI2XqGeo1/68x8sWyqDFgTcPqJ0UMA0GCSqGSIb3
DQEBCwUAA4ICAQAL419PlH+LJ9cc14LphhrXpz3gkaahQ+xtSmVAIP89rrI96R6G
58UtN6GKJBC4es/37W+YalBcsevaKoLTS2dtbhc0ZZrl3yn5Y43EAWG+FVI4geXp
SUtE53eNYSrHd+3LN3oNV6v0ze8KsnimVpuC3MCvK5d/POxRm+7JyqkRrusuMyK1
XHkWcnO+0KzqgIq48EXjQKq1F12MI6nq6BZirHI2KonXsyjn/YKH3oii040KNA+V
c4AQXcbhBZjaImsMuD7pS5phsLlvzVPnCBLwXo+7lLsoEqOxAgpzWBwWw61BLKdl
Dxde6LTc8fpZjGmxZ46pWIC44r0HRSaAtMiB0aQgmIz8sWREx3zOddHtKHtj2o8j
3tX3WPXgvFCEfcNvazVhMGiI9FtBoqvIKZ7C14fDfmhMpPoDcDsjB4IAByRedDai
Q47lcR+zrZhqgH1ebuDFGpDh8ChBnM6wdLILA3lZA4c0cs0e9f3f6fXsTqLtLxDa
HFOG53MZYkPMAb4v45WL/mwmUA5r1l6jAT63wqko4g+GJRQwXXdE7w25iPlL77iU
mjY/U6H46afdFB0KErHO4j3D8do6t6AT4mFQ4yenMaBYacldYBQRC/B1vL9QR2yw
uibG9IJI8udVSHCRXR9ILJNHm95z9fdi9Tm6bcJ6tHFFQLuJt89628/AFg==
-----END CERTIFICATE-----

Comment 4

[Kathleen Wilson]

I confirm that this has been added to OneCRL. Thanks!