← HARICA cases
Bugzilla #1878106
Certificate Problem Report
HARICA: Anomaly in OCSP services after CA software upgrade
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified an issue with its OCSP services following a CA software upgrade, which resulted in newly issued certificates containing non-compliant OCSP responses. Specifically, the `nextUpdate` value for these responses exceeded the allowed duration, violating TLS BRs. The problem affected 161 TLS certificates, leading to connectivity issues for relying parties. HARICA quickly addressed the issue by fixing the code and purging the problematic responses, restoring proper OCSP functionality within hours. The incident prompted a thorough investigation and implementation of additional monitoring controls.
Chronology
- Investigation initiated after reports of stale OCSP responses.
- Identified issue linked to CA software upgrade on January 16.
- Problematic OCSP responses purged and fix deployed.
- Incident report drafted and Bugzilla case opened.
- Case closed after all action items completed.
Participants
Dimitris Zacharopoulos
Mathew Hodson
Mozilla Team
External References
Similar Local Cases
HARICA: S/MIME certificate issuance without proper validation
HARICA: Certificates with invalid policy tree
HARICA: Insufficient serial number entropy
HARICA: wrong characters in NC extension of Technically Constrained Intermediate CA Certificates
HARICA: Incorrect OCSP Delegated Responder Certificate
HARICA: OCSP Responder Returned "Unauthorized" for Some Precertificates
HARICA: One of the two Certificate Problem Report email aliases not working
Actalis: pre-certificates with “certificateHold” as the revocation reason