← GlobalSign nv-sa cases
Bugzilla #1630870
Certificate Problem Report
GlobalSign: Certificate issued with RSASSA-PSS public key
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign reported an incident involving the issuance of a certificate with an RSASSA-PSS public key. The issue was identified during a post-issuance check, which flagged the certificate on April 16, 2020. The certificate was revoked shortly thereafter. An investigation revealed that the pre-issuance checker failed to prevent the issuance due to a configuration oversight. GlobalSign has since updated their documentation and processes to ensure proper validation checks are in place to prevent similar incidents in the future.
Chronology
- Post-issuance check flagged certificate with RSASSA-PSS key.
- Certificate revoked.
- Full incident report submitted.
- Log shipping and configuration verification implemented.
- Bug ticket closed as completed.
Participants
Paul Brown
Ryan Sleevi
Kathleen Wilson
Ben Wilson
External References
Similar Local Cases
GlobalSign: Empty SingleExtension in OCSP responses
GlobalSign: Non-BR-Compliant Certificate Issuance -- double-dots in dnsName
GlobalSign: Invalid stateOrProvinceName value
GlobalSign: Failure to revoke noncompliant ICA within 7 days
DigiCert / InfoCert: Insufficient Serial Number Entropy
GlobalSign: Non-BR-Compliant Certificate Issuance - metadata-only subject fields
GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report
GlobalSign: OCSP responders found to respond signed by the default CA when passed an invalid issuer in request