← Trustis cases
Bugzilla #1353838
Certificate Misissuance
Trustis: SHA-1 serverAuth cert issued in November 2016
RESOLVED
Trustis
AI Summary
Trustis issued a SHA-1 serverAuth certificate for hmrcset.trustis.com in November 2016, which was later found to be non-compliant with Mozilla's policies. Following reports and discussions, Trustis revoked the certificate and replaced it with a SHA-256 version. An additional SHA-1 certificate for getset.trustis.com was also identified, leading to further scrutiny of Trustis's certificate issuance processes. The case has been resolved with updates to their compliance practices.
Chronology
- Initial report of SHA-1 certificate
- Trustis revoked the SHA-1 certificate
- Incident report provided by Trustis
- Trustis acknowledged mis-issuance and updated compliance practices
Participants
Kathleen Wilson
Blake Morgan
External References
Similar Local Cases
Trustis: Certificate not version 3
SHA-1 issuance by Visa root
DigiCert: Verizon mis-issued test certificates
SHA-1 issuance by DocuSign root
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
DigiCert / Siemens: Insufficient Serial Number Entropy
DigiCert: DigiCert issued cert with CN too long
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.