← HARICA cases
Bugzilla #1535509
Certificate Problem Report
HARICA: Insufficient serial number entropy
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified a compliance issue regarding the entropy of serial numbers in certificates issued between May 4, 2018, and March 5, 2019. The CA software used, EJBCA, was configured to produce serial numbers with only 63 bits of entropy instead of the required 64 bits. This led to the issuance of 461 SSL/TLS certificates and 4157 S/MIME certificates with non-compliant serial numbers. Mitigation measures have been identified, and revocation of the affected certificates was scheduled as per the Baseline Requirements.
Chronology
- Incident reported and investigation initiated.
- Planned revocation of problematic SSL/TLS certificates.
- Planned revocation of problematic CA certificates.
- Remediation confirmed as complete.
Participants
Dimitris Zacharopoulos
W. Thayer
External References
Similar Local Cases
HARICA: OCSP Responder Returned "Unauthorized" for Some Precertificates
HARICA: Certificates with invalid policy tree
HARICA: Incorrect OCSP Delegated Responder Certificate
HARICA: Anomaly in OCSP services after CA software upgrade
HARICA: S/MIME certificate issuance without proper validation
HARICA: wrong characters in NC extension of Technically Constrained Intermediate CA Certificates
HARICA: One of the two Certificate Problem Report email aliases not working
HARICA: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service