← IdenTrust Services, LLC cases
Bugzilla #1734917
Certificate Misissuance
IdenTrust: Mis-Issued EV Certificates
RESOLVED
FIXED
IdenTrust Services, LLC
AI Summary
IdenTrust Services, LLC identified and confirmed the mis-issuance of 124 EV certificates due to a failure in their system to trigger re-validation of documentation older than 398 days. This issue was discovered during an internal audit on September 27, 2021, and reported to Mozilla on October 8, 2021. The company implemented a remediation plan, including revoking the mis-issued certificates and enhancing their validation processes. All but three certificates were revoked by November 10, 2021, and the remaining were revoked shortly thereafter. The technical controls to prevent recurrence were deployed on January 20, 2022.
Chronology
- Conducted internal audit review of issued EV certificates.
- Confirmed mis-issuance of certificates.
- Submitted CCADB incident report.
- All but 3 mis-issued certificates revoked.
- Deployed automated validation to prevent recurrence.
Participants
IdenTrust
Mozilla
External References
Similar Local Cases
IdenTrust: Approval of TLS certificate renewal without domain validation
IdenTrust: Issuance of Subordinate CA’s Without EKU
IdenTrust: Invalid special characters in S/MIME Certificates
IdenTrust: test certificates inadvertently published in production environment
IdenTrust: Issuance of OV SSL Certificate with doc vetting older than 398 days
IdenTrust: Issuance of certificates greater than 398 days
IdenTrust: Validation Source for EV Certificates not Publicly Disclosed
IdenTrust: Improper encoding of wildcard certificate