← Sectigo cases
Bugzilla #1756847
Certificate Problem Report
Sectigo: SC45 DCV Reuse Error
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a bug in their implementation of Domain Control Validation (DCV) reuse, which led to the potential misissuance of certificates. The issue was discovered through continuous QA testing and was related to compliance with SC45. A total of 40 certificates were identified as affected and were revoked within 24 hours of discovery. A code fix has been deployed, and Sectigo has ceased issuing certificates with this problem. They are continuing to monitor the situation to ensure all affected certificates are accounted for.
Chronology
- Certificates issued that may be affected by the bug.
- Continuous testing reveals a possible bug in SC45 implementation.
- Hotfix deployed to resolve the bug.
- All 40 misissued certificates revoked.
Participants
Tim Callan
Martijn Katerbarg
B Wilson
External References
Similar Local Cases
Sectigo: Failure to block disallowed LDH labels in domain names
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value
Sectigo: OV reuse data applied for wrong organization
Sectigo: Certificate issuance delayed for more than 398 days after DCV was completed
Sectigo: Failure to invalidate Email DCV Random Values after 30 days
Sectigo: DCV Reuse after 825 days
Sectigo: Truncated registration numbers in EV certificates
Sectigo: S/MIME certificates with (null) string value in subject attributes