Indicate known certificates in sent mails

[stoecker]

I have about 50 entries in my watchlist (heavily using subdomains) and separating mails for legitimate use and fraud is hard.

Please add a check whether the certificate matches a known private key
I.e. by adding the modulus of the private key: "openssl rsa -in private.key -modulus -noout" in a knownkeyslist and check the certificates again this: "openssl x509 -in cert.pem -modulus --noout" [editor's note: comparing by modulus only is not correct]. When it matches the mail subject could then include a "known" or another keyword.

This way it would be much easier to find bad certificates.

[stoecker]

This could also solve #13, #74 and #76.

[stoecker]

@AGWA: If you modify my text please also explain why. The two components to identify a private key are modulus and exponent. Modulus alone should be enough to identify a matching private key for the given purpose. If you want to be 100% exact it's modulus and exponent (Can be output with -text).

[Blason]

@stoecker I am keen to know about the email notifications you configured. did you use sendmail or any other MTA to send emails? Would you mind sharing your email settings of course with masking all your private information. And how are you monitoring the certspotter continuously? Have you created the service for it?

[stoecker]

In /etc/systemd/system/certspotter.service

[Unit]
Description=Certificate Transparency Log Monitor
Documentation=man:certspotter(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=certspotter
Environment=CERTSPOTTER_CONFIG_DIR=/etc/certspotter CERTSPOTTER_STATE_DIR=/var/cache/certspotter EMAIL=...mymail...
ExecStart=/home/euronav/certspotter/certspotter -verbose -start_at_end
ConfigurationDirectory=certspotter
CacheDirectory=certspotter
# not strict, because we want to allow some flexibility to hooks
ProtectSystem=full

[Install]
WantedBy=multi-user.target

in /etc/certspotter email_recipients, keylist, watchlist

The file needs a modification with email address. I was to lazy yet to move that into a config file ;-)

I use a local running postfix with opendkim as signature service. If wanted I can describe that setup here, but that's a bit harder to describe and setup and it needs a bit knowledge about mail server setup to do it right. Operating a proper mail server is no easy task nowadays,

On the mail receiving server side is used dovecot with server side filtering with sieve to sort mails into the corresponding mail folders.

Due the amount of domains I monitor getting the mails is enough to see if service is running. Usually there are Let'sEncrypt renewals every week, so there is no special monitor service beside systemd daemon handling.

[stoecker]

If mail server knowledge is missing something like this can help: https://phoenixnap.com/kb/postfix-smtp - Configure postfix to relay any mail to submission port of another server with username/password. Here it's not so important to setup all details right, as the target server has to do all the proper email stuff, the local postfix acts as MDA.

[schildbach]

I have the same problem, but I suspect a "private key whitelist" would not suffice. Many certificate renewals, such as those of the popular reverse proxy Traefik, rotate not only the cert but also the private key.

That said, maybe if DANE is configured for the domain it could use the pinning info from there?