← Sectigo cases
Bugzilla #1714628
Certificate Misissuance
Sectigo: Forbidden Domain Validation Method
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a significant issue where their Certificate Policy Statement (CPS) did not include all supported Domain Control Validation (DCV) methods, specifically missing the ACME-http-01 method. This oversight led to the issuance of 369,922 certificates that did not comply with current standards. Following the discovery, Sectigo promptly updated their CPS and initiated a revocation process for the affected certificates. The case highlights the importance of maintaining accurate documentation and proactive compliance measures.
Chronology
- Bug opened by Ryan Sleevi regarding CPS updates.
- Updated CPS published to site.
- Custom script runs, revoking all affected certificates.
Participants
Ryan Sleevi
Tim Callan
External References
Similar Local Cases
Sectigo: Invalid stateOrProvinceName
Sectigo: Incorrect EV businessCategory
Sectigo: Incorrect JOI for federal credit unions
Sectigo: Failure to revoke within 5 days
Sectigo: test certificates issued from trusted CA
Sectigo: State name in localityName
Sectigo: IP Address Domain Validation Failure
Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME