23

Context: We have a private certification authority in my company. We are provisioning VMs in our private cloud which will need to trust SSL certs issued by this CA, i.e. they will need the cert chain installed and trusted. Since provisioning is fully automated, we are committing the .pem of the cert chain (consisting of the Root and one intermediate cert) to a private Git repository. As always, even though the repo is private, the risk of exposure exists.

Question: If said certificate chain is inadvertently made public for any reason, does this expose us to any undue risk?

(I am fairly confident this is fine, but would like to check my sanity against this community, and am hoping the answer will help someone else in the future).

ebr
  • 333
  • 2
  • 6
  • 2
    Related: [What parts of an SSL Certificate can I share without revealing the Certificate Authority's identity?](https://security.stackexchange.com/q/165018/141087) – Stevoisiak Jan 16 '18 at 18:52

2 Answers2

33

There's a reason they're called "public" keys. :) There are hundreds of Root CA certificates bundled with your operating system, etc. If your attacker can factor your public key, you've already lost.

The only concerns I'd have with a private CA are whether or not you expose information about your internal structure that might be useful to an attacker. e.g., details about who operates your CA, particular servers that have the CA private keys for signing...

David
  • 15,939
  • 3
  • 50
  • 73
21

Building on @David's answer, it depends what's in those certificates and whether you consider that information to be sensitive. For example, this is probably not sensitive:

cn=Root CA, O=ebr, inc, C=US

but this might be:

cn=AWS subnet 101.102.103 Issuing CA, OU=Backend Servers, O=ebr, inc, C=US

Also think about whether the expiry date of the issuing CA is sensitive information, because an attacker will know that all certs need to be rolled over around that date. Is there an OCSP or CDP entry? Does its URL leak info about your network structure? Etc...

Bottom line: In all likelihood, CA certs are fine to be public, but you should open the cert files in a viewer and make sure there's nothing in there that you would rather keep private.

Stevoisiak
  • 1,535
  • 1
  • 12
  • 27
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • 3
    And building on this, it probably makes sense to pay special attention to whether each piece of information could be changed/invalidated or not. If there's sensitive information in the certificates but it can be changed once it's known to be exposed, that limits the risk. – David Z Jan 16 '18 at 20:08