← Microsoft Corporation cases
Bugzilla #1706860
Certificate Misissuance
Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft PKI Services identified three certificates that were mis-issued due to a DNSName not being a Fully Qualified Domain Name (FQDN), specifically due to a hyphen at the end of a label in the Subject Alternative Name (SAN). The issue was discovered on April 20, 2021, during an investigation of preferred name syntax errors. All three certificates were revoked within 24 hours of discovery, and Microsoft has since updated their internal linting tools to prevent future occurrences. A review confirmed no additional certificates with similar issues were found.
Chronology
- Bugzilla incident 1705419 opened.
- Discovered three mis-issued certificates.
- Confirmed all three certificates were revoked.
- Completed review of all issued certificates, confirming no additional issues.
- Bug closure anticipated unless further issues arise.
Participants
John Mason
External References
Related Bugzilla IDs Mentioned
Similar Local Cases
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD
Microsoft PKI Services: DV certificate issued with OV fields
Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints)
Microsoft PKI Services: Misissuance detected by PKIMetal
Let's Encrypt: TLS Using ALPN Allows Additional Identifiers in Challenge Certificate
SSL.com: Issuance of TLS certificates with domain validation methods prohibited by SC-45
NAVER Cloud Trust Services: DV certificate issued with no subject alternative name extension