← DigiCert cases
Bugzilla #1675684 · Certificate Problem Report
DigiCert: Private Keys Disclosed by Customers as Part of CSR
DigiCert · RESOLVED
AI Summary
DigiCert experienced a security incident where customers inadvertently submitted private keys along with Certificate Signing Requests (CSRs). The issue was identified following a similar report from Entrust, prompting DigiCert to investigate and implement a patch to prevent such submissions. A tool was developed to scan for previously submitted private keys, resulting in the revocation of 337 certificates. The incident has been resolved with improved input validation measures in place.
Chronology
- Investigation initiated after Entrust's report.
- Patch deployed to reject potential private key submissions.
- Scanning for private keys completed; revocation of affected certificates.
- Case deemed ready for closure.
Participants
Jeremy Rowley
B Wilson
External References
Similar Local Cases
DigiCert: Inconsistent validation information
DigiCert: Org information issue in new validation workflow
DigiCert / Microsoft: inconsistent disclosure of externally-operated intermediate
DigiCert: Key Size Not Divisible By 8
DigiCert: Failure to revoke key-compromised certificate
DigiCert: Issuance of Cert with Compromised Key
DigiCert: JOI Issue
DigiCert: Sub CA with EV OIDs without audit report