[c-nsp] SSL cert for tools.cisco.com revoked?

Tim Utschig tim at tetro.net
Tue Dec 15 15:42:25 EST 2009 

Apologies if this is off-topic...

Is anyone else seeing "Peer's Certificate has been revoked."
while attempting to access tools.cisco.com?  Currently using
Firefox.  I found a Windows PC, and it seems that MSIE care even
after enabling CRL checking.  I can only visit the site in
Firefox if I disable OCSP.

I verified the problem using OpenSSL command line tools.
Verisign OCSP server claims the certificate is revoked as of Dec
15 17:43:33 2009 GMT.  Reason "unspecified".

The certificate is valid from 2009-12-08 to 2010-12-08, so maybe
there was some problem while updating the certificate and they
had to throw it out and start over.  Accidental discosure or
compromise of the private key? 


$ openssl s_client -CApath /etc/ssl/certs -showcerts \
> -connect tools.cisco.com:443 < /dev/null > tools-cisco-com.chain
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For
authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3
Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=Cisco
Systems/OU=ATS/CN=tools.cisco.com
verify return:1
DONE

# put the three certs in the chain into separate files

$ cp tools-cisco-com.chain tools-cisco-com.chain.1
$ cp tools-cisco-com.chain tools-cisco-com.chain.2
$ cp tools-cisco-com.chain tools-cisco-com.chain.3
$ vim tools-cisco-com.chain.?

$ openssl ocsp -issuer tools-cisco-com.chain.2 \
> -cert tools-cisco-com.chain.1 -url http://ocsp.verisign.com
WARNING: no nonce in response
Response Verify Failure
8966:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
tools-cisco-com.chain.1: revoked
    This Update: Dec 15 17:47:45 2009 GMT
    Next Update: Jan  8 04:59:50 2010 GMT
    Reason: unspecified
    Revocation Time: Dec 15 17:43:33 2009 GMT


-- 
   - Tim Utschig <tim at tetro.net>

More information about the cisco-nsp mailing list