← Entrust cases
Bugzilla #1651481
Delayed Revocation
Entrust: Late Revocation due to SHA-256 hash algorithm
RESOLVED
FIXED
Entrust
AI Summary
Entrust experienced a late revocation incident involving 606 SSL certificates that were issued with an incorrect hash algorithm (SHA-256 instead of the required SHA-384). The issue was discovered on June 17, 2020, and after an internal review, Entrust decided to revoke the certificates but delayed the action due to concerns about potential impacts on their enterprise customers. The final 17 certificates were revoked on August 7, 2020, after a series of notifications and extensions were provided to affected subscribers. Entrust acknowledged the need for improved adherence to revocation timelines in future incidents.
Chronology
- Issue discovered using crt.sh linting software.
- Last CA configured to support SHA-384 signing.
- Plan changed to revoke all certificates.
- Subscribers requested to revoke certificates.
- Final 17 certificates revoked.
Participants
Bruce Morton
Ryan Sleevi
Ben Wilson
External References
Similar Local Cases
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU
Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdiction
Camerfirma: Delayed revocations related to Invalid authorityKeyIdentifier - recurrent incident
DigiCert: Delay of revocation for EV audit inconsistency incident
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates
SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue
PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue
Actalis: delayed revocation related to inaccurate value in stateOrProvinceName