-1

is this possible to block a specific TLS CA(certificate authority) on network ? for example block all certs that is issued by letsencrypt on my network is there any ip or host name for blocking ?

neb
  • 111
  • 1
  • 2
    You can remove its CA certificate from your computer. How you do that depends on operating system and browser. – Michael Hampton Sep 04 '18 at 16:17
  • That really depends on what you're actually trying to achieve. Do you want to stop trusting certificates issued by that CA? Or do you want to prevent a particular CA from issuing certificates for your systems? – HBruijn Sep 04 '18 at 16:19
  • I know that , but I want block it on main network – neb Sep 04 '18 at 16:20
  • I want just block letsencrypt CA root server in main network – neb Sep 04 '18 at 16:21
  • It is per-machine configuration. You have to configure each machine to distrust the CA certificate. If possible, you should automate the process by using means provided by your operating system. But this is not a complete solution. Some software (like FireFox browser) use their own root certificate store, so you will need to reconfigure these applications too. – Crypt32 Sep 04 '18 at 16:51
  • 1
    Just to be clear, are you trying to block letsencrypt certs from being issued for your domain, or are you trying to block trusting of any letsencrypt signed certs? – Zoredache Sep 04 '18 at 17:13
  • Imagine I have a server with 10 virtual vps run on it , I want to block any request to letsencrypt to prevent validate certs – neb Sep 04 '18 at 17:16

2 Answers2

2

If you want to block letsencrypt (or any CA) issuing for you domain and you control your own DNS, then publish a CAA record within your domain.

So if you want to block all CAs you could add a record like

example.com.    IN      CAA     0 issue ";"

Imagine I have a server with 10 virtual vps run on it , I want to block any request to letsencrypt to prevent validate certs

If you are running all the web servers server you could block the HTTP-01 challenge by adjusting your web server to block access to /.well-known/acme-challenge/ location. If you have reverse proxy or web filter in place on incoming traffic you could also block these URLs there.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
1

You can't block certificates issued by a CA by blocking specific ip-addresses or hostnames in your firewall.

Once a certificate has been issued neither the service using the certificate, nor the client accessing that service needs contact with the CA to be able to use the certificate to secure communications.

(That is a simplification: for instance checking the revocation status of certificate does need contact with the CA, but AFAIK usually when revocation status can't be checked, the certificate is assumed to be valid.)

HBruijn
  • 77,029
  • 24
  • 135
  • 201