Andrew AyerSep 3, 2025
Hey look, another certificate authority trusted ONLY by Microsoft is issuing certificates without validation (1.1.1.1/Cloudflare DNS in this case): https://crt.sh/?sha256=D42B028468E73795365102058CBCD350AD0A0B9CA7073C5362A570C5EC208A92
(h/t Hacker News user JXzVB0iA)
crt.sh | d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadMatt Nordhoff

@agwa Not their first one! crt.sh is especially slow right now, but IIRC there's another, expired, apparently-never-revoked cert from the same CA from ~2023.

Edit: Correction: 2024-2025, and at least 1 is revoked (I did not check the others).

Sep 3, 2025 at 12:18pmWeb
Show threadMatt NordhoffSep 3, 2025

@agwa E.g. https://crt.sh/?id=12116084225 from 2024 (expired).

When https://crt[.]sh/?q=1.1.1.1 loads (link broken to reduce fedi-DDoS), there are 12 results matching "C=HR, O=Financijska agencija" from 2024-2025 (not excluding possible precert duplicates).

Edit: And what kind of serial number is "VATHR-32343828408.286"?

Edit: The cert I linked above was revoked, I was mistaken.

crt.sh | 12116084225

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadAndrew AyerSep 3, 2025
@mnordhoff Oh no, did I accidentally DDOS crtsh?

That's the subject serial number which is used to identify the company in OV/EV certs. I'm guessing it's a Hungarian tax identifier.
Show threadMatt NordhoffSep 3, 2025
@agwa D'oh. Thank you. Makes sense. My brain glossed right over the cert "Serial Number" at the top and went down to the Subject "serialNumber".  Guess I don't spend enough time around OV/EV certs.
Show threadgrawitySep 3, 2025
@mnordhoff @agwa Defined in ETSI 319 412-1, section 5.1.4 "Legal person semantics identifier"
https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf#page=11 - 3 letter type, 2 letter country code, in this case the company's VAT tax identifier