← D-TRUST cases
Bugzilla #1756122
Certificate Problem Report
D-TRUST: Wrong key usage (Key Agreement)
RESOLVED
FIXED
D-TRUST
AI Summary
D-TRUST SSL CA 2 2020 issued a certificate with incorrect key usage, specifying 'keyAgreement' instead of 'keyEncipherment'. The error was detected shortly after issuance on February 17, 2022, leading to the revocation of the certificate the same day. D-TRUST has since halted the issuance of certificates of this type and implemented additional checks to prevent future occurrences. A thorough investigation revealed misconfiguration and limitations in their pre-linting checks as contributing factors.
Chronology
- New product type added; first certificate issued with incorrect key usage.
- Certificate revoked after internal checks.
- Rollback of the new product type initiated.
- New internal work instruction introduced.
- Contributions to Z-Lint project confirmed to prevent future issues.
Participants
Enrico Entschew
External References
Similar Local Cases
D-TRUST: Wrong key usage (Key Encipherment)
D-Trust: QCStatement with http link of PKI Disclosure Statements
D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714
D-TRUST: Issuance of non-conformant SSL certificate
D-TRUST: Certificate with RSA key where modulus is not divisible by 8
D-Trust: CRL HTTP Media Type
D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates
D-TRUST: syntax error in one tls certificate