← Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) cases
Bugzilla #1662382
Certificate Misissuance
GDCA: Incorrect Value in organizationName Field
RESOLVED
FIXED
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA))
AI Summary
Global Digital Cybersecurity Authority (GDCA) identified a mis-issued EV SSL certificate during a routine internal audit on August 26, 2020. The certificate, issued on August 25, contained an incorrect value in the organizationName field. GDCA promptly revoked the certificate and implemented a new feature in their Certificate Management System to enhance validation procedures. This feature matches certificate data against a Qualified Government Information Source to prevent similar issues in the future. The incident was resolved with no further mis-issuances found.
Chronology
- Certificate issued
- Mis-issuance identified
- Certificate revoked
- Notified WebTrust auditor
- New validation feature deployed
Participants
capoc@gdca.com.cn
ryan.sleevi@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
Telekom Security: Certificate with invalid FQDN
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints
GDCA: Authentication of Organization Identity Failure for an OV Certificate
certSIGN: misissued an OV SSL certificate with no organizationName and localityName, instead of a DV SSL as requested by client
Sectigo: Subject field with unvalidated information included in certificates
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
SSL.com: Wildcard DV certificate issued with a non-validated domain name
GlobalSign: Misissuance of QWAC Certificates