← Microsoft Corporation cases
Bugzilla #1670337
Certificate Misissuance
Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft PKI Services experienced a certificate mis-issuance incident where certificates were issued for a domain that did not have a valid top-level domain (TLD). The issue was identified after a partner notified Microsoft on October 8, 2020. Following the notification, Microsoft took immediate action, including revoking the mis-issued certificates and improving their domain validation processes. The root cause was linked to a domain that was mistakenly added to their system, which was not public. Microsoft has since implemented measures to prevent similar incidents in the future, including enhanced checks and automation in their domain validation process.
Chronology
- Microsoft was notified by a partner about the mis-issued certificates.
- Microsoft created an internal incident and began managing the issue.
- The problematic domain was removed from the production system.
- Certificates issued to the domain were revoked.
- Microsoft confirmed the removal of the DNS Operator exception from their CPS.
Participants
John Mason
Ryan Sleevi
Paul Steinberg
Andrew Gwa
Michel Le Bihan
External References
Similar Local Cases
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
Microsoft PKI Services: DV certificate issued with OV fields
Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax
PKIoverheid: KPN issued Invalid organizationalUnitName
Microsec: Certificate validity period greater than 398 days
SECOM: Unqualified domain name in SAN
Sectigo: Invalid stateOrProvinceName
Sectigo: Failure to revoke within 5 days