← D-TRUST cases
Bugzilla #1682270
Certificate Problem Report
D-TRUST: Private Key Disclosed by Customer as Part of CSR
RESOLVED
FIXED
D-TRUST
AI Summary
D-TRUST identified a vulnerability where private keys could be inadvertently submitted during the certificate signing request (CSR) process. An internal investigation revealed that a private key was submitted with a CSR for a certificate that was later revoked. D-TRUST has since implemented a bug fix to prevent such occurrences by rejecting incorrect CSRs. The issue was resolved on December 14, 2020, and only one certificate was affected, issued on July 2, 2020.
Chronology
- Investigation initiated after potential vulnerability identified.
- Thorough analysis revealed a revoked certificate with a private key submission.
- Bug fix successfully completed and approved.
Participants
Enrico Entschew
bwilson@mozilla.com
External References
Similar Local Cases
D-TRUST: Issuance of non-conformant SSL certificate
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName
D-TRUST: EV certificates with incorrectly used businessCategory entry
D-Trust: Missing Pre-Signing Linting for TLS Issuance
D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates
D-Trust: QCStatement with http link of PKI Disclosure Statements
D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714
D-Trust: Notice to affected Subscriber and person filing CPR not sent within 24 hours