TURKTRUST Unauthorized CA Certificates

Bruce Morton

turktrustAlthough unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.

It has been reported that the TURKTRUST certification authority (CA) inadvertently issued two intermediate CA certificates in August 2011. The certificates were issued in error due to test code being moved into production. The certificates issued were for “*.EGO.GOV.TR” and “e-islem.kktcmerkezbankasi.org.”

According to TURKTRUST, on December 6, 2012, the “*.EGO.GOV.TR” intermediate CA certificate was moved to a Check Point firewall, which was configured for inspection. In this mode, the Check Point firewall automatically generates certificates for all SSL connections. In this case, it issued a “*.google.com” certificate. TURKTRUST stated that the certificate was not issued for dishonest purposes.

It is not acceptable, but mistakes do happen. In this case, the mistake was again detected by Chrome’s public key pinning, which indicated that a fraudulent Google certificate had been issued.

Most of the browsers (Google Chrome, Microsoft IE and Mozilla Firefox) took corrective action and blacklisted the inadvertent intermediate CA certificates.

What else can be done? Here are some ideas:

Limit CA Functionality – If a CA is not supposed to issue CA certificates, then disable this functionality. If the CA is only supposed to issue SSL certificates, then disable the functionality for Code Signing and S/MIME. Limited functionality will limit the risk.

Automated Certificate Inspection – All certificates that have been issued should be inspected to meet certain criteria. All issued certificates could be inspected for minimum key size, signing algorithm, CRL CDP, OCSP AIA and basic constraints criteria. If the basic constraints indicates “Subject,” then an investigation should be performed to ensure that the CA certificate issuance was authorized.

Audit – Both internal and external audits could be performed to manually inspect issued certificates. If a CA certificates is found, then an investigation should be performed to ensure it was authorized.

Certificate Transparency – We can help domain owners check for fraudulent website certificate issuance. This could be done with the further development and deployment of Certificate Transparency (CT). CT will make it possible for domain owners to inspect logs to see if any certificates were issued for one of their domains.

Updated January 7, 2013: TURKTRUST has provided an announcement and technical details.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation