← Sectigo cases
Bugzilla #1741026
Certificate Misissuance
Sectigo: Incorrect JOI for federal credit unions
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a misissuance involving eleven certificates issued to federal credit unions that incorrectly included state-level information in the JOIStateName fields. The issue was discovered during a review of their certificate corpus, leading to the revocation of the affected certificates. Although the initial discovery occurred on October 7, 2021, the reporting of the incident was delayed due to a series of development schedule slips, which Sectigo acknowledged as a mismanagement error. The CA has since implemented programmatic checks to prevent similar misissuances in the future.
Chronology
- Discovery of misissued certificates
- First certificate revoked
- Additional certificates revoked
- QGIS matching goes into production
- Bug scheduled for closure
Participants
Tim Callan
Ryan Sleevi
Ben Wilson
External References
Similar Local Cases
Sectigo: Invalid stateOrProvinceName
Sectigo: Failure to revoke within 5 days
Sectigo: State name in localityName
Sectigo: Incorrect EV businessCategory
Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME
Sectigo: Misspelled city name in localityName field
Sectigo: Forbidden Domain Validation Method
Sectigo: test certificates issued from trusted CA