← GlobalSign nv-sa cases
Bugzilla #1535873
Certificate Problem Report
GlobalSign: AT&T Insufficient Serial Number Entropy
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign identified an issue with insufficient serial number entropy in certificates issued by AT&T, a customer using EJBCA with default settings. Following the discovery, AT&T was instructed to halt certificate issuance, update their configurations, and revoke affected certificates. A total of over 42,000 certificates were revoked, and AT&T upgraded their EJBCA to ensure compliance with the required serial number entropy. GlobalSign is in the process of closing down all subordinate CAs operated by third parties, with a target completion date set for August 2019.
Chronology
- GlobalSign conducted a self-assessment on certificates issued from their data center.
- GlobalSign notified AT&T to stop issuance and update their configurations.
- AT&T upgraded EJBCA in test/dev to support 128-bit serial number entropy.
- AT&T confirmed the revocation of over 42,000 certificates.
- All misissued certificates with 63-bit serial numbers were revoked.
Participants
Wayne Thayer
Doug Beattie
External References
Similar Local Cases
GlobalSign: OCSP responders found to respond signed by the default CA when passed an invalid issuer in request
GlobalSign: Virginia Tech Insufficient Serial Number Entropy
TrustCor: Insufficient Serial Number Entropy
Kamu SM: Insufficient Serial Number Entropy
SSL.com: Insufficient serial number entropy
Bug in GlobalSign Certificate Centre not populating EKUs in 68 SSL certificates
Buypass: Insufficient Serial Number Entropy
GlobalSign: Incapsula issued a certificate for non-existing domain (testslsslfeb20.me)