← AC Camerfirma, S.A. cases
Bugzilla #1390977
Certificate Problem Report
Camerfirma: Non-BR-Compliant Certificate Issuance
RESOLVED
FIXED
AC Camerfirma, S.A.
AI Summary
Camerfirma faced issues with the issuance of certificates that contained invalid DNS names, including internal server names and URLs. The CA acknowledged the problems after they were reported in the Mozilla security policy forum and confirmed that they had ceased issuing such certificates. They provided a list of affected certificates and outlined steps taken to rectify the situation, including revocation of problematic certificates and implementation of new technical controls to prevent future occurrences. Despite these measures, concerns were raised about the adequacy of their responses and the systemic issues that allowed these problems to arise.
Chronology
- Initial report of issues with Camerfirma's certificates.
- Revocation of the first set of problematic certificates.
- Revocation of the second set of problematic certificates.
- Implementation of new technical controls in the PKI platform.
- Final confirmation of completion of action items.
Participants
Ramiro Muñoz Muñoz
Kathleen Wilson
Ryan Sleevi
Gervase Markham
Jonathan Rudenberg
External References
Similar Local Cases
Visa: Non-BR-Compliant Certificate Issuance
Consorci AOC: Non-BR-Compliant Certificate Issuance
Camerfirma: Startcom are issuing by proxy using Camerfirma
GlobalSign: Non-BR-Compliant Certificate Issuance -- RSA key smaller than 2048 bits
DocuSign/Keynectis: Non-BR-Compliant OCSP Responders
GoDaddy: New GoDaddy incorrect issuance bug appears to be regression of 2010 issue
Firmaprofesional: Non-audited, non-technically-constrained intermediate certificates
Camerfirma: MULTICERT certificates with a validity period greater than 825 days