← DigiCert cases
Bugzilla #1409735
Certificate Misissuance
DigiCert: RapidSSL CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone
RESOLVED
DigiCert
AI Summary
This case involves a mis-issuance of a certificate by DigiCert for a domain that was DNSSEC-signed but had a misconfigured server that did not respond to CAA queries. The certificate was issued despite the failure to retrieve the necessary CAA record, which should have prevented issuance according to CAB guidelines. Following the report, DigiCert confirmed the issue, revoked the certificate, and implemented a patch to prevent similar occurrences in the future.
Chronology
- Complaint received regarding certificate issuance
- Issue confirmed and revocation ordered
- Certificate revoked
- Patch applied to fix CAA record checking
Participants
Quirin Scheitle
Steven Medin
Jeremy Rowley
Gervase Markham
W. Thayer
External References
Similar Local Cases
DigiCert / Inteso San Paulo: Double dot characters
Asseco DS / Certum: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
SHA-1 issuance by DigiCert roots
DigiCert: in-addr.arpa Misissuance
DigiCert: Internal Domain Name cert mis-issuance
DigiCert: DigiCert issued cert with CN too long
DigiCert: Verizon mis-issued test certificates
DigiCert: SHA-1 intermediate issued after 2016-01-01