Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME

Sectigo identified a misissuance of Extended Validation (EV) TLS certificates where the subject:serialNumber field incorrectly contained dates of incorporation instead of the appropriate registration numbers. This issue was discovered during an internal audit, leading to a series of corrective actions including disabling access to the EV ACME server and revoking 204 affected certificates. The root cause was traced to a coding bug in the ACME order processing system, which failed to retrieve the correct registration number from the database. Sectigo has since implemented automated testing to prevent similar issues in the future.

1. 2021-05-05 Internal audit discovers misissuance of EV TLS certificates.
2. 2021-05-06 List of affected certificates generated.
3. 2021-05-10 All affected certificates revoked.
4. 2021-06-29 Automated tests for ACME issuance added.