SEV-1 Incident: Immediate response on CA compromise!
RTO: 1 hour | Decision makers: CISO + PKI Lead
Procedure for mass revocation of certificates on CA compromise.
| Trigger | Example | Action |
| ——— | ——— | ——– |
| Root CA compromised | Private key stolen | Rebuild entire PKI |
| Intermediate compromised | Signing key leaked | Sub-CA + all certificates |
| Mass compromise | Ransomware on CA server | All affected certificates |
| Critical vulnerability | Algorithm broken | All affected certificates |
#!/bin/bash # emergency-triage.sh echo "=== EMERGENCY TRIAGE ===" echo "Time: $(date -Iseconds)" # 1. Which CA is affected? echo "" echo "Affected CA:" read -p "Root/Intermediate/End-Entity: " CA_LEVEL # 2. Type of compromise echo "" echo "Type of compromise:" echo " 1. Private key stolen" echo " 2. Unauthorized certificate issuance" echo " 3. System compromise" echo " 4. Algorithm vulnerability" read -p "Selection: " COMPROMISE_TYPE # 3. Determine scope echo "" echo "Determining scope..." case "$CA_LEVEL" in root|Root|ROOT) echo "CRITICAL: All certificates of entire PKI affected!" SCOPE=$(grep -c "^V" /etc/pki/CA/index.txt) ;; intermediate|Intermediate|INTERMEDIATE) read -p "Which intermediate CA? " INT_CA SCOPE=$(grep -c "$INT_CA" /etc/pki/CA/index.txt) ;; *) read -p "Number of affected certificates: " SCOPE ;; esac echo "" echo "=== SUMMARY ===" echo "CA Level: $CA_LEVEL" echo "Compromise Type: $COMPROMISE_TYPE" echo "Affected Certificates: $SCOPE" echo "" # Escalation if [ "$CA_LEVEL" = "Root" ] || [ "$CA_LEVEL" = "root" ]; then echo "ESCALATION: Notify CISO and management!" echo "Activate communication plan!" fi
#!/bin/bash # emergency-ca-offline.sh echo "=== CA OFFLINE ===" # 1. Stop CA services systemctl stop pki-ca systemctl stop ocsp-responder # 2. Block network access iptables -A INPUT -p tcp --dport 443 -j DROP iptables -A INPUT -p tcp --dport 80 -j DROP # 3. Lock signing keys (HSM) # pkcs11-tool --module <hsm> --login --deactivate-key --id <key-id> # 4. Forensic preservation echo "Creating forensic image..." dd if=/dev/sda of=/backup/forensic/ca-server-$(date +%Y%m%d%H%M%S).img bs=4M echo "CA offline. No new certificates possible."
#!/bin/bash # emergency-crl.sh echo "=== EMERGENCY CRL ===" # Revoke all certificates of affected CA # WARNING: This is destructive! read -p "WARNING: Revoke all certificates? (REVOKE/abort): " confirm [ "$confirm" != "REVOKE" ] && exit 1 # Backup current database cp /etc/pki/CA/index.txt /etc/pki/CA/index.txt.pre-emergency-$(date +%Y%m%d%H%M%S) # Revoke all valid certificates grep "^V" /etc/pki/CA/index.txt | while IFS=$'\t' read status expiry revoke serial unknown subject; do echo "Revoking: $serial - $subject" openssl ca -config /etc/pki/CA/openssl.cnf \ -revoke "/etc/pki/CA/newcerts/${serial}.pem" \ -crl_reason keyCompromise \ -batch done # Generate new CRL (short validity!) openssl ca -config /etc/pki/CA/openssl.cnf \ -gencrl \ -crlhours 1 \ -out /var/www/pki/emergency.crl # Distribute CRL immediately echo "Distributing emergency CRL..." scp /var/www/pki/emergency.crl crl-server:/var/www/html/crl/ scp /var/www/pki/emergency.crl cdn-origin:/var/www/crl/ echo "Emergency CRL distributed." echo "CRL URL: http://crl.example.com/crl/emergency.crl"
EMERGENCY NOTIFICATION: PKI Compromise To: IT Security, IT Operations, Management From: PKI Team Time: [TIMESTAMP] STATUS: SEV-1 INCIDENT SUMMARY: The [Root/Intermediate] CA has been compromised. All issued certificates are being revoked. IMPACT: - Affected certificates: [COUNT] - Affected systems: [LIST] - Estimated downtime: [HOURS] IMMEDIATE ACTIONS: 1. CA taken offline 2. Emergency CRL generated 3. Communication to affected systems NEXT STEPS: 1. Forensic analysis 2. Build new CA 3. Re-issue all certificates CONTACT: PKI Team: pki-emergency@example.com Security: security@example.com Hotline: +49 xxx xxxxx
SECURITY NOTICE [ORGANIZATION] has identified that [DESCRIPTION]. Affected services have been taken offline as a precaution. We are working on a solution and will inform you of updates. For questions: security@example.com
#!/bin/bash # emergency-recovery.sh echo "=== RECOVERY ===" # 1. New Root CA (if compromised) echo "Option 1: New Root CA" echo " -> Perform Key Ceremony" echo " -> See: key-ceremony.sh" # 2. New Intermediate CA echo "" echo "Option 2: New Intermediate CA" echo " -> Get signed by Root" # 3. Re-issue all certificates echo "" echo "Option 3: Re-issue certificates" # Server list from CMDB/Inventory SERVERS_FILE="/etc/pki/inventory/all-servers.txt" if [ -f "$SERVERS_FILE" ]; then total=$(wc -l < "$SERVERS_FILE") echo "Re-issue for $total servers..." cat "$SERVERS_FILE" | while read server; do echo "Re-issue: $server" # Request CSR from server ssh "$server" "openssl req -new -key /etc/ssl/private/server.key -out /tmp/emergency.csr -subj \"/CN=$server\"" # Fetch CSR scp "$server:/tmp/emergency.csr" "/tmp/reissue/${server}.csr" # Issue new certificate openssl ca -config /etc/pki/CA/openssl.cnf \ -in "/tmp/reissue/${server}.csr" \ -out "/tmp/reissue/${server}.pem" \ -days 365 -batch # Deploy certificate scp "/tmp/reissue/${server}.pem" "$server:/etc/ssl/certs/server.pem" ssh "$server" "systemctl reload nginx || systemctl reload apache2" done fi echo "Recovery completed."
| Phase | Task | Timeframe |
| ——- | —— | ———– |
| Post-Incident | Forensic report | +24h |
| Post-Incident | Root cause analysis | +48h |
| Post-Incident | Lessons learned | +1 week |
| Prevention | Improve controls | +2 weeks |
| Compliance | Notify authorities (if critical infrastructure) | Per regulation |
| # | Checkpoint | Time | Done |
| — | ———— | —— | —— |
| 1 | Triage completed | +15m | |
| 2 | CA offline | +20m | |
| 3 | Management informed | +25m | |
| 4 | Emergency CRL generated | +30m | |
| 5 | CRL distributed | +35m | |
| 6 | Internal communication | +40m | |
| 7 | External communication (if needed) | +45m | |
| 8 | Recovery plan activated | +60m |
« <- Key Ceremony | -> Operator Scenarios »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional