← Entrust cases
Bugzilla #1673119
Certificate Misissuance
Entrust: Subscriber provides private key with CSR
RESOLVED
FIXED
Entrust
AI Summary
Entrust reported a significant incident where a subscriber inadvertently included a private key with their Certificate Signing Request (CSR), leading to the issuance of 121 compromised certificates. The issue was identified on October 19, 2020, and subsequent investigations revealed that the same private key had been used in previous requests. Entrust promptly revoked all affected certificates and implemented a patch to prevent future occurrences. The incident highlighted the need for stricter validation of CSRs to avoid similar misissuances.
Chronology
- Entrust discovers private key included with CSR.
- Trigger Certificate revoked.
- All affected certificates confirmed revoked.
- Patch installed to reject CSRs with extra data.
Participants
Bruce Morton
Ryan Sleevi
Jeremy Rowley
Matthias
Adriano Santoni
B. Wilson
External References
Similar Local Cases
Entrust: S/MIME mailbox address not in subjectAltName
Entrust: CPS typographical (text placement) error
Entrust: Issued Certificates to incorrect Organization
Entrust: Certificate issued with validity greater than 825-days
Entrust: SHA-1 Issuance and other misissuance while testing
Entrust: Question marks in certificate O and L fields
Entrust: Late mis-issue certificate revocation
Entrust: IP in dnsName