top | item 45014004

(no title)

thom_nic | 6 months ago

DOD Cyber Exchange, home of DISA STIGs among other resources, appears to be signed by a root CA "US DoD CCEB Interoperability Root CA 2" which does not appear to be in any browser list of trusted root CAs. This seems to have changed at some point, because public.cyber.mil used to be accessible without any browser warnings. Certificate chain:

    $ gnutls-cli --print-cert public.cyber.mil 443 </dev/null
    Processed 150 CA certificate(s).
    Resolving 'public.cyber.mil:443'...
    Connecting to '23.9.224.83:443'...
    - Certificate type: X.509
    - Got a certificate list of 2 certificates.
    - Certificate[0] info:
     - subject `CN=comm-cyber.mil,OU=DISA,OU=PKI,OU=DoD,O=U.S. Government,C=US', issuer `CN=DOD SW CA-74,OU=PKI,OU=DoD,O=U.S. Government,C=US', serial 0x087ef6, RSA key 2048 bits, signed using RSA-SHA256, activated `2025-08-11 17:51:06 UTC', expires `2026-09-12 17:51:06 UTC', pin-sha256="zqDELcwzXa0DHRYN6o+J5FGm2fSFXYb3O0knmjH3MrE="
            Public Key ID:
                    sha1:2925dac566b06932f1995cc904f1e723e26d6f5d
                    sha256:cea0c42dcc335dad031d160dea8f89e451a6d9f4855d86f73b49279a31f732b1
            Public Key PIN:
                    pin-sha256:zqDELcwzXa0DHRYN6o+J5FGm2fSFXYb3O0knmjH3MrE=


    -----BEGIN CERTIFICATE-----
    ...snip
    -----END CERTIFICATE-----

    - Certificate[1] info:
     - subject `CN=DOD SW CA-74,OU=PKI,OU=DoD,O=U.S. Government,C=US', issuer `CN=DoD Root CA 6,OU=PKI,OU=DoD,O=U.S. Government,C=US', serial 0x4a, RSA key 2048 bits, signed using RSA-SHA384, activated `2023-05-16 16:05:29 UTC', expires `2029-05-15 16:05:29 UTC', pin-sha256="NJVFdvvbhMFMXyUHKDk1RLnMkkY5Qt9eP3Q0Q8QHPUk="

    -----BEGIN CERTIFICATE-----
    ...snip
    -----END CERTIFICATE-----

    - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
    *** PKI verification of server certificate failed...
    *** Fatal error: Error in the certificate.

discuss

No comments yet.