← SSL.com cases
Bugzilla #1750631
Certificate Misissuance
SSL.com: Issuance of TLS certificates with domain validation methods prohibited by SC-45
RESOLVED
FIXED
SSL.com
AI Summary
SSL.com identified the issuance of three DV TLS certificates using validation methods prohibited by SC-45 during an internal review. The issue was discovered on December 29, 2021, leading to an investigation that confirmed the mis-issuance of these certificates. SSL.com took immediate action to revoke the affected certificates and implemented a hotfix to prevent similar future occurrences. The incident highlighted failures in the timely adoption of policy changes and insufficient implementation in their RA Portal. All remediation actions have since been completed, and the case has been resolved.
Chronology
- Discovery of three problematic certificates during internal review.
- Revocation of the affected certificates completed.
- All remediation actions completed and monitoring policy updated.
Participants
secauditor@ssl.com
bwilson@mozilla.com
External References
Similar Local Cases
SSL.com: Wildcard DV certificate issued with a non-validated domain name
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
SSL.com: S/MIME certificates issued prior to validation
SSL.com: Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN
Sectigo: Subject field with unvalidated information included in certificates
SSL.com: P-384 curve / ecdsa-with-SHA256 certificates
Telekom Security: Certificate with invalid FQDN
FNMT: Missisuance of web site certificates without CA/Browser Forum’s reserved policy OID