← Microsoft Corporation cases
Bugzilla #1421820
Certificate Problem Report
Microsoft DSRE PKI: Microsoft shares wildcard certificates among cloud instances
RESOLVED
FIXED
Microsoft Corporation
AI Summary
A significant security issue was reported regarding Microsoft Dynamics 365, where multiple cloud instances were found to share the same wildcard certificate and private key. This flaw allows users to extract the private key, compromising its confidentiality. Despite initial denials from Microsoft, the issue was acknowledged, and they are currently investigating the matter. The certificate remains valid, and there are concerns about the implications of revocation on service compatibility. Microsoft has since revoked the problematic certificates and requested that further public disclosures be managed carefully.
Chronology
- Initial report of the certificate issue by Hanno Boeck.
- Microsoft confirmed they are investigating the issue.
- Bug closed as resolved after Microsoft revoked the certificates.
Participants
Hanno Boeck
Kathleen Wilson
Gervase Markham
Jeremy Rowley
Gordon Bock
External References
Similar Local Cases
DigiCert: localbattle.net certificate with private key in software / issued by Digicert
DigiCert: Non-BR-Compliant OCSP Responders
DigiCert: no subject alternative name in Siemens certs
Asseco DS / Certum: certificate issued by Certum with compromised private key not revoked (windows10.microdone.cn)
Visa: Non-BR-Compliant Certificate Issuance
GlobalSign: Incapsula issued a certificate for non-existing domain (testslsslfeb20.me)
DigiCert: TI Trust Technologies Global CA issued certificate with no subject alternative name extension
Camerfirma: Startcom are issuing by proxy using Camerfirma