An example of a domain that uses AAACertificateServices cert

问题

The bounty expires in 18 hours. Answers to this question are eligible for a +500 reputation bounty. lf215 wants to draw more attention to this question.

How can I find a domain whose root certificate is AAACertificateServices? Note this is a Comodo certificate.

To prepare for a dependent server whose certificate will change soon, it looks my clients do have this certificate. However, I'd like to verify that my clients will work now by sending a request to a domain that is already using AAACertificateServices.

回答1:

You can find some by poking around on crt.sh, although it does take a bit of digging.

https://crt.sh/?Identity=%25&iCAID=840&exclude=expired will give you a list of unexpired certificates issued by the certificate referred to in your question. By clicking through, searching, and going down a few rabbit holes you'll be able to find that, for example, kicassl.com is currently presenting such a certificate.

Example (abridged) output from openssl s_client -showcerts -connect www.kicassl:443:

Certificate chain
 0 s:serialNumber = 1108141568, jurisdictionC = KR, businessCategory = Private Organization, C = KR, ST = Gyeonggi-Do, L = Seongnam-si, street = "242, Pangyo-ro, Bundang-gu", O = Korea Information Certificate Authority Inc., OU = "Hosted by Korea Information Certificate Authority, Inc.", OU = COMODO EV SSL, CN = www.kicassl.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Extended Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHyDCCBrCgAwIBAgIQVg8zhfgL...
-----END CERTIFICATE-----
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Extended Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIQKE45wUs4...
-----END CERTIFICATE-----
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvki...
-----END CERTIFICATE-----
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgk...
-----END CERTIFICATE-----

where the last cert in the chain is the one you're looking for.

回答2:

https://crt.sh/?Identity=%25&iCAID=840&exclude=expired

Use this link to check all* certificate that is not expired from AAACertificateServices.

*: Some certificate may not be submitted to CT log. Only certificates that are submitted to trusted CT logs will be recorded.

---

Why?

Source image: Google

Consider there is a certificate registration. The certificate that is "registered" will be recorded. If someone uses AAACertificateServices to issue and sign a certificate, but the certificate isn't registered, so the certificate is not recorded.

---

Conclusion:

You can check certificates that are recorded in trusted CT logs, but you can't check the certificate that is not "registered" and "recorded".

来源：https://stackoverflow.com/questions/66162297/an-example-of-a-domain-that-uses-aaacertificateservices-cert