There are many SSL certificate resellers - some are well known enterprises with good reputation (e.g. domain name registrars) while others are small and unknown companies.
It is clear that resellers don't have access to private keys of certificates purchased via them (unless private key is given to or taken from the reseller; CSR does not contain private key).
But the tricky part is validation procedures done on reissuance (issuance of similar certificate with different private key, during validity period of the the certificate).
- My experience shows that at least in some reseller-CA combinations old certificates are not automatically/immediately revoked when doing reissuance. This leads to situation where several certificates (with different private keys) for the same domain name are valid during the same validity period, bought via the same certificate purchase. There are also some legitimate use cases for this (e.g. if multiple servers serving the same site are secured with the "same" certificate and each server has its own private key). Are there CAs that automatically revoke old certificates during reissuance?
- My experience shows that at least in some reseller-CA combinations (at least domain level) re-validation is always done during reissuance. Is there any regulations for CAs enforcing re-validation on every reissuance? Is there a risk that malicious reseller could deceive CA and request a certificate reissuance without the re-validation procedure (i.e. can malicious reseller generate his own CSR, give it to CA/RA and get it signed, claiming his customer is doing reissuance)? If yes, are there CAs whose policies require re-validation on every reissuance?
Basically the question is - is it secure to buy SSL certificates from cheap (and unknown) resellers? Or they can abuse the reissuance process (by fooling CAs/RAs to issue fraudulent certificates)?
Aucun commentaire:
Enregistrer un commentaire