← GlobalSign nv-sa cases
Bugzilla #1552586
Certificate Misissuance
GlobalSign: 4 Misissued certificates with invalid CN
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign identified and resolved an issue involving four misissued SSL certificates that contained invalid Common Names (CN). The problem was detected by their post-issuance compliance checker, which alerted them shortly after the certificates were issued. An investigation revealed that a deprecated API allowed invalid CN values to be used without proper validation. GlobalSign has since revoked the misissued certificates and is implementing changes to ensure that such issues do not recur, including disabling the deprecated API and enhancing their validation checks.
Chronology
- Certificates issued
- Compliance checker detected misissued certificates
- Investigation started
- Certificates revoked
- Further analysis determined the cause of the issue
- Updated code rolled out to check CN and SAN values
- Responses to follow-up questions provided
- Remediation confirmed complete
Participants
douglas.beattie@gmail.com
ryan.sleevi@gmail.com
wthayer@fastly.com
External References
Similar Local Cases
GlobalSign: AT&T SSL certificates without the AIA extension
GlobalSign: Misissuance of QWAC Certificates
Telia: Misissued certificate - Invalid wildcard format
Telia: Ambiguity on KeyUsage with ECC public key
Telia: invalid IP value in SAN DNS field
GlobalSign Partner: No SAN
Sectigo: Subject field with unvalidated information included in certificates
Camerfirma: Non-BR-Compliant Issuance - DNSName is empty