← Microsoft Corporation cases
Bugzilla #1644936
Certificate Misissuance
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft Corporation reported a misissuance incident involving eight certificates that were issued without the required locality or state/province values. The issue was identified during post-issuance linting tests, leading to the revocation of the certificates on April 29, 2020. The misissuance occurred due to manual processing outside of their automated issuance system, which typically enforces compliance with certificate profiles. Microsoft has since implemented additional manual quality checks and is working to enhance their automated tools to prevent similar issues in the future.
Chronology
- Certificates issued manually
- Certificates failed linting and were revoked
- Mis-issuance reviewed with Web Trust auditors
- Final internal incident review completed
- Discussion on improving incident reporting processes
Participants
John Mason
Wayne Thayer
Ben Wilson
Ryan Sleevi
External References
Similar Local Cases
Microsoft PKI Services: DV certificate issued with OV fields
Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD
SwissSign: Misissuance with mispellings in Location for a number of Certificates
Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax
KIR S.A.: Misissuance - missing OCSP AIA, Validity > 825 days
Sectigo: Incorrect JOI for federal credit unions
Telia: "Some-State" in stateOrProvinceName
Izenpe: certificate issued to internal domain