Hacker News new | ask | show | jobs
by vb-8448 687 days ago
I've always seen microsoft certificates signed by digicert, who knows.
1 comments
agwa 687 days ago
You're probably seeing the root certificate, which is operated by DigiCert.

The intermediate CAs which issue the end-entity certificates are operated by Microsoft.

Figuring out who truly issued a certificate is tricky business: https://www.agwa.name/blog/post/the_certificate_issuer_field...

link
vb-8448 687 days ago
This is what i see for eg for outlook.com:

root issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

intermediate issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

server certificate issuer: CN = DigiCert SHA2 Secure Server CA O = DigiCert Inc C = US

link
agwa 687 days ago
Interesting, that truly is issued by DigiCert.

The end-entity certificates I see for microsoft.com, azure.microsoft.com, portal.azure.com are all issued by:

C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 0X [where X varies]

In any case, I just analyzed DigiCert's CRLs and it doesn't look like they've done many revocations yet. These are the only CT-logged certs revoked in the last 24 hours with reason code 4 (required when domain validation is done improperly):

https://gist.github.com/AGWA/2d22a1a94ef80ccdb38e3248323f434...

I don't see any Microsoft/Azure domains in that list.

link