← Sectigo cases
Bugzilla #1853987
Certificate Problem Report
Sectigo: S/MIME certificates with (null) string value in subject attributes
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified an issue where S/MIME certificates were issued with '(null)' in the subject:givenName and subject:surname attributes. This was discovered during a manual review, leading to an internal investigation that revealed a bug in their system caused by an external Identity Provider (IdP). A total of 126 certificates were affected, and Sectigo has since deployed a patch to prevent further issuance of such certificates. All affected certificates were revoked by September 22, 2023, concluding their remediation efforts.
Chronology
- Internal ticket created to review issued S/MIME certificates.
- Patch deployed to block issuance of certificates with '(null)' string.
- Initial 8 certificates revoked.
- All remaining certificates revoked.
Participants
Martijn Katerbarg
Ben Wilson
External References
Similar Local Cases
Sectigo: Non-existent hostname in CDP and AIA URLs
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value
Sectigo: HTML encoded characters in subject attribute values
Sectigo: Missing character in subject:organizationName attribute value
Sectigo: Late revocation for incomplete Subject organizationName
Sectigo: Premature disabling of CRL generation for an inactive CA
Sectigo: Temporary unavailability for subset of CRLs
Sectigo: Failure to revoke ECC certificates with non-DER encoded keyUsage within 5 days