← Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) cases
Bugzilla #1538673
Certificate Problem Report
Consorci AOC: EC-SECTORPUBLIC insufficient serial number entropy
RESOLVED
FIXED
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert)
AI Summary
Consorci AOC identified an issue with SSL certificates issued under the 'CN=EC-SectorPublic' where the serial number entropy was insufficient, at 63 bits instead of the required 64 bits. The CA became aware of the problem through discussions on mozilla.dev.security.policy and took immediate action to stop issuing certificates. They have since updated their systems to ensure compliance with Baseline Requirements by configuring serial numbers to 128 bits. The incident raised concerns about the timeliness of their response and monitoring practices, leading to improvements in their incident management procedures.
Chronology
- Identified issue with insufficient serial number entropy.
- Stopped issuance of affected SSL certificates.
- Implemented improvements in monitoring and incident management.
Participants
Francesc Ferrer
Ryan Sleevi
External References
Similar Local Cases
Consorci AOC: Non-BR-Compliant Certificate Issuance
Consorci AOC: OCSP responding good for non-issued certs by Consorci AOC root already solved
Consorci AOC: Problem reporting mechanism for Consorci AOC points to URL with invalid cert
Add Consorci AOC "old" hierarchy to OneCRL
E-Tugra: Insufficient serial number entropy
GoDaddy: Insufficient serial number entropy
Izenpe: Intermediate CA certificates not listed in audit report
SECOM: Insufficient Serial Number Entropy