Blue Coat Intermediate CA Certificate Has Not Been Revoked

In a recent Internet security kerfuffle, Symantec issued the surveillance company Blue Coat Systems, a powerful digital certificate that allows them to masquerade as any secure business or financial institution by impersonating their web server.  See my original post for background, Blue Coat has Intermediate CA signed by Symantec.

In statement by Symantec the company notes, that companies often test with their own Intermediate CA.  While it’s true companies test their PKI processes, it’s very uncommon that Intermediate CA certificates in the test environment anchor to trusted roots in popular web browsers.  Any Intermediate CA certificate anchoring to trusted roots is by definition a – live production certificate.


Symantec goes on to note that certificates used in testing are “discarded” once tests are completed.  Unfortunately, this type of public communication is difficult to understand from a technical standpoint.  The standard practice to assure the public a certificate cannot be used is to revoke the certificate.  In the PKI system, a certificate that has been revoked provides scary warnings when users try to browse these web sites.  The assurance we desire is that the certificate is revoked.  Whether Blue Coat has the private key or not is immaterial.To better understand the communication from Symantec, I checked the Blue Coat CA revocation status.  The result is that the Blue Coat CA certificate has not been revoked.  While there is no evidence of inappropriate use, nothing about this incident in the way it’s explained or handled is considered industry best practice or even normal practice.  This is not the first time Symantec’s processes around certificate management have been called to question by security researchers, The Case of the Symantec’s Mysterious Digital Certificates.

You can test the Blue Coat CA certificate revocation status yourself with the following procedure.

Step 1 – Download Blue Coat CA Certificate
Download the Bluecoat CA Certificate to your computer.
 
Step 2 – Extract CRL host from Bluecoat Certificate
I’m using a work in progress tool I wrote, DeepViolet, to read the certificate but openssl is a well established alternative available on many operating systems.  If your using openssl you can view the certificate with the following, openssl x509 -in bluecoat-cert.crt -text -noout
 
java -jar dvCMD.jar -rc ../Downloads/bluecoat-cert.crt
Starting headless via dvCMD
Trusted State=>>>UNKNOWN<<<
Validity Check=VALID, certificate valid between Wed Sep 23 17:00:00 PDT 2015 and Tue Sep 23 16:59:59 PDT 2025
SubjectDN=CN=Blue Coat Public Services Intermediate CA, OU=Symantec Trust Network, O=”Blue Coat Systems, Inc.”, C=US
IssuerDN=CN=VeriSign Class 3 Public Primary Certification Authority – G5, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, OU=VeriSign Trust Network, O=”VeriSign, Inc.”, C=US
Serial Number=108181804054094574072020273520983757507
Signature Algorithm=SHA256withRSA
Signature Algorithm OID=1.2.840.113549.1.1.11
Certificate Version =3
SHA256(Fingerprint)=AF:70:11:C3:EF:70:A7:96:26:B1:43:A7:14:99:96:FF:15:2F:75:62:85:1D:08:C3:AA:DC:DE:E8:29:9E:57:2B
Non-critical OIDs
CRLDistributionPoints=[http://s.symcb.com/pca3-g5.crl]
AuthorityInfoAccess=[ocsp=http://s.symcd.com]
CertificatePolicies=[2.23.140.1.2.2=qualifierID=http://www.symauth.com/cpsCPSUserNotice=http://www.symauth.com/rpa1.3.6.1.4.1.14501.4.2.1=CPSUserNotice=In the event that the BlueCoat CPS and Symantec CPS conflict, the Symantec CPS governs.1.3.6.1.4.1.14501.4.2.2=CPSUserNotice=In the event that the BlueCoat CPS and Symantec CPS conflict, the Symantec CPS governs.]
AuthorityKeyIdentifier=[7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33]
SubjectKeyIdentifier=[47:95:0A:0B:A7:A1:82:A2:6D:C9:9B:9C:CD:3E:F3:90:42:E4:6F:99]
ExtendedKeyUsages=[serverauth clientauth]
SubjectAlternativeName=[[[2.5.4.3, SymantecPKI-2-214]]]
Critical OIDs
KeyUsage=[nonrepudiation keyencipherment]
BasicConstraints=[TRUE0]
 
Processing complete, execution(ms)=784
Step 4 – Download CRL 
Download the certificate revocation list from the server specified in the certificate.
 
wget -O bluecoat-symcb-crl.der http://s.symcb.com/pca3-g5.crl
Step 3 – Display CRL
Now that we have the certificate revocation list we can view the list of certificates revoked.  Apparently there are no revoked certificates.
 
openssl crl -inform DER -text -in bluecoat-symcb-crl.der
Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. – For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority – G5
        Last Update: Mar 22 00:00:00 2016 GMT
        Next Update: Jun 30 23:59:59 2016 GMT
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
        18:32:9f:5a:ed:de:b4:e1:c0:4a:97:de:3b:81:7e:5e:0e:10:
        fa:1b:b4:4e:97:33:d4:88:67:2b:fc:d2:8c:9a:b4:cb:7f:27:
        c5:19:ae:14:73:e0:63:c0:35:ae:e5:ed:3f:8a:32:bf:e3:c1:
        51:84:2f:23:60:e2:86:d2:79:8d:f5:3b:a0:69:1d:bd:ca:c6:
        3f:49:ed:7b:f8:a4:d0:ae:fa:0f:3a:35:c4:b6:ad:1c:bd:7c:
        35:e0:8f:62:83:e1:db:c6:05:92:98:2c:3a:12:48:2b:c9:59:
        a7:c1:de:1f:d0:6e:4e:1f:1d:3b:cb:5e:d1:e2:79:8c:c0:64:
        35:14:b1:04:87:04:4c:8f:3b:6f:10:ac:e8:6c:b4:b0:fb:69:
        15:de:9c:70:1a:1b:e7:be:af:18:a8:29:7e:c5:aa:73:e9:c8:
        3c:79:a3:fc:23:9a:9f:16:55:34:9e:c1:5c:fd:68:51:4a:6f:
        7b:51:53:a7:a3:f4:c7:70:3c:03:58:e6:0a:8f:f1:44:e1:ad:
        c7:b0:a4:dc:e5:be:ba:92:84:93:ac:71:24:ba:70:e4:cf:ed:
        84:6b:c2:b3:a1:49:3f:55:10:1c:b9:90:51:32:ee:6a:3e:85:
        0a:83:a8:80:f2:60:c0:87:3f:7f:b3:fc:b1:49:d2:17:0e:3e:
        c7:74:e5:23
—–BEGIN X509 CRL—–
MIICETCB+jANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3Jr
MTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUXDTE2MDMyMjAwMDAw
MFoXDTE2MDYzMDIzNTk1OVowDQYJKoZIhvcNAQEFBQADggEBABgyn1rt3rThwEqX
3juBfl4OEPobtE6XM9SIZyv80oyatMt/J8UZrhRz4GPANa7l7T+KMr/jwVGELyNg
4obSeY31O6BpHb3Kxj9J7Xv4pNCu+g86NcS2rRy9fDXgj2KD4dvGBZKYLDoSSCvJ
WafB3h/Qbk4fHTvLXtHieYzAZDUUsQSHBEyPO28QrOhstLD7aRXenHAaG+e+rxio
KX7FqnPpyDx5o/wjmp8WVTSewVz9aFFKb3tRU6ej9MdwPANY5gqP8UThrcewpNzl
vrqShJOscSS6cOTP7YRrwrOhST9VEBy5kFEy7mo+hQqDqIDyYMCHP3+z/LFJ0hcO
Psd05SM=
—–END X509 CRL—–
 
 

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/