[AdamJacobMuller]

I haven't found any, yet. I would love to have a list of domains affected by this to cross-check that none of my issued certificates were affected by this.

[schoen]

The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...

You can get the SHA256 fingerprint for your certificate by running

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout 

If you don't like the format,

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f

will match the format in the list of affected certificates more closely.

If you need to do this against a web server and don't already have a copy of the certificate locally, something like

  echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f

(This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.)

[agwa]

Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f...

[AdamJacobMuller]

Thank you and much appreciated, fortunately had no affected certs. I guess I need to spend some time implementing ARI :)