← GlobalSign nv-sa cases
Bugzilla #1760311
Certificate Problem Report
GlobalSign: OCSP responder certificates with more than 64 characters in CN
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign identified that it had issued six OCSP responder certificates with Common Names (CN) exceeding the allowed length of 64 characters. The issue was discovered during a gap assessment on November 30, 2021, and was escalated for investigation on March 17, 2022, after a certificate problem report was received. The CA confirmed the need for revocation of the affected certificates on March 18, 2022, and all were revoked by the same day. GlobalSign has since updated its certificate issuance profiles to prevent future occurrences.
Chronology
- Gap assessment revealed OCSP certificates with CN longer than 64 characters.
- Certificate problem report received and investigation initiated.
- Affected certificates confirmed for revocation and all were revoked.
- Linting added to OCSP Responder certificate profiles.
Participants
Christophe Bonjean
Ryan Sleevi
B Wilson
External References
Similar Local Cases
GlobalSign: Three (3) revoked precertificates with reasonCode “certificateHold”
GlobalSign: Certificate issued to FQDN with malformed CAA
GlobalSign: Failure to revoke noncompliant certificates within 5 days
GlobalSign: Non-BR-Compliant Certificate Issuance -- double-dots in dnsName
GlobalSign: Invalid stateOrProvinceName value
GlobalSign: Certificate issued with RSASSA-PSS public key
GlobalSign: Organization-validated SMIME certificate with invalid organizationIdentifier for European country
GlobalSign: EV TLS certificate with only metadata in JOI State field