← Entrust cases
Bugzilla #1648472
Certificate Misissuance
Entrust: SHA-256 hash algorithm used with ECC P-384 key
RESOLVED
FIXED
Entrust
AI Summary
Entrust Datacard discovered that 16 SSL certificates were issued using an ECC P-384 key but signed with the SHA-256 algorithm, contrary to Mozilla Policy v2.7, which requires SHA-384 for such keys. The issue was identified on June 17, 2020, through linting software, leading to an investigation and subsequent migration of the affected CAs to support SHA-384 signing. Entrust has pledged to notify subscribers and offer certificate re-issues at no cost, although they do not plan to revoke the misissued certificates, citing that they still provide adequate security.
Chronology
- Issue discovered using crt.sh linting software.
- L1J CA configured to support SHA-384 signing.
Participants
Bruce Morton
Ryan Sleevi
External References
Similar Local Cases
Entrust: IP in dnsName
Entrust: Subscriber provides private key with CSR
Entrust: Late mis-issue certificate revocation
Entrust: Issued Certificates to incorrect Organization
Entrust: Certificate issued with validity greater than 825-days
Entrust: SHA-1 Issuance and other misissuance while testing
Entrust: Question marks in certificate O and L fields
Entrust: CPS typographical (text placement) error