← SSL.com cases
Bugzilla #1724520
Certificate Misissuance
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
RESOLVED
FIXED
SSL.com
AI Summary
SSL.com reported a misissuance incident involving a TLS certificate issued with a malformed common name due to a bug in their validation process. The issue arose when a customer demonstrated control over a domain but submitted a request that included a 'www.' string incorrectly positioned within the domain labels. This led to the issuance of a certificate that did not meet validation standards. SSL.com promptly revoked the certificate upon notification and implemented a hotfix to prevent similar occurrences. The investigation confirmed that this was the only affected certificate.
Chronology
- Customer reported malformed certificate issuance.
- Initial Bugzilla report filed.
- Final Bugzilla report filed.
Participants
secauditor@ssl.com
ryan.sleevi@gmail.com
mathew.hodson@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
SSL.com: Wildcard DV certificate issued with a non-validated domain name
SSL.com: Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN
SSL.com: Issuance of TLS certificates with domain validation methods prohibited by SC-45
SSL.com: S/MIME certificates issued prior to validation
GDCA: Incorrect Value in organizationName Field
IdenTrust: unintended creation of a Root CA certificate
certSIGN: misissued an OV SSL certificate with no organizationName and localityName, instead of a DV SSL as requested by client
Telekom Security: Certificate with invalid FQDN