← Sectigo cases
Bugzilla #1694233
Certificate Problem Report
Sectigo: Inadequate DCV
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a flaw in their Domain Control Validation (DCV) process that allowed SSL certificates to be issued without proper validation for apex domains. This issue arose when a subscriber requested a certificate for a www subdomain but did not provide an email address for the apex domain. Following a report from a partner, Sectigo promptly investigated and confirmed the issue, leading to the revocation of 1,548 affected certificates. The company has since implemented code changes to prevent future occurrences of this problem.
Chronology
- Received report of DCV issue from partner.
- Deployed fix to prevent issuance of certificates with incomplete DCV.
- Revoked all identified affected certificates.
Participants
Tim Callan
Ryan Sleevi
Pedro Fuentes
External References
Similar Local Cases
Sectigo: Failure to provide a preliminary report within 24 hours.
Sectigo: Mojibake in certificate Subject fields
Sectigo: Misspellings in stateOrProvince or localityName fields
Sectigo: Missing registration numbers in EV certificates
Sectigo: Failure to block disallowed LDH labels in domain names
Sectigo: DCV Reuse after 825 days
Sectigo: Incorrect locality information
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature