问题
How can I find a domain whose root certificate is AAACertificateServices? Note this is a Comodo certificate.
To prepare for a dependent server whose certificate will change soon, it looks my clients do have this certificate. However, I'd like to verify that my clients will work now by sending a request to a domain that is already using AAACertificateServices.
回答1:
You can find some by poking around on crt.sh, although it does take a bit of digging.
https://crt.sh/?Identity=%25&iCAID=840&exclude=expired will give you a list of unexpired certificates issued by the certificate referred to in your question. By clicking through, searching, and going down a few rabbit holes you'll be able to find that, for example, kicassl.com is currently presenting such a certificate.
Example (abridged) output from openssl s_client -showcerts -connect www.kicassl:443
:
Certificate chain
0 s:serialNumber = 1108141568, jurisdictionC = KR, businessCategory = Private Organization, C = KR, ST = Gyeonggi-Do, L = Seongnam-si, street = "242, Pangyo-ro, Bundang-gu", O = Korea Information Certificate Authority Inc., OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = COMODO EV SSL, CN = www.kicassl.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Extended Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHyDCCBrCgAwIBAgIQVg8zhfgL...
-----END CERTIFICATE-----
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Extended Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIQKE45wUs4...
-----END CERTIFICATE-----
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvki...
-----END CERTIFICATE-----
3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgk...
-----END CERTIFICATE-----
where the last cert in the chain is the one you're looking for.
回答2:
https://crt.sh/?Identity=%25&iCAID=840&exclude=expired
Use this link to check all* certificate that is not expired from AAACertificateServices.
*: Some certificate may not be submitted to CT log. Only certificates that are submitted to trusted CT logs will be recorded.
Why?
Source image: Google
Consider there is a certificate registration. The certificate that is "registered" will be recorded. If someone uses AAACertificateServices to issue and sign a certificate, but the certificate isn't registered, so the certificate is not recorded.
Conclusion:
You can check certificates that are recorded in trusted CT logs, but you can't check the certificate that is not "registered" and "recorded".
来源:https://stackoverflow.com/questions/66162297/an-example-of-a-domain-that-uses-aaacertificateservices-cert