← Deutsche Telekom Security GmbH cases
Bugzilla #1711432
Certificate Misissuance
Telekom Security: Certificate with invalid FQDN
RESOLVED
FIXED
Deutsche Telekom Security GmbH
AI Summary
Deutsche Telekom Security GmbH issued a certificate with an invalid Fully Qualified Domain Name (FQDN) that started with a hyphen. The issue was identified during routine checks on May 16, 2021, leading to immediate revocation of the certificate and a halt on further issuances. A software bug allowed this misissuance, which was addressed with a hotfix deployed on June 7, 2021. The incident was resolved with updated software to prevent similar issues in the future.
Chronology
- Certificates issued with invalid FQDN
- Internal QA detects the error
- Management confirms software bug and halts issuance
- Hotfix deployed to prevent hyphens at the beginning of FQDNs
Participants
Arnold Essing
matthias@thisisntrocket.science
michel@lebihan.pl
ryan.sleevi@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
Sectigo: Subject field with unvalidated information included in certificates
GDCA: Incorrect Value in organizationName Field
SSL.com: Wildcard DV certificate issued with a non-validated domain name
Telekom Security: QCStatement with http link to PDS
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
certSIGN: misissued an OV SSL certificate with no organizationName and localityName, instead of a DV SSL as requested by client
Dhimyotis / Certigna: Certificates issued with validity periods greater than 398-days
GlobalSign: Misissuance of QWAC Certificates