← Entrust cases
Bugzilla #1879602
Certificate Problem Report
Entrust: OCSP response signed with SHA-1
RESOLVED
FIXED
Entrust
AI Summary
Entrust identified that two of its root CA OCSP responders were incorrectly signing responses using SHA-1 instead of the required SHA-256. This issue was discovered through monitoring with OCSP Watch. Upon confirmation, Entrust quickly scheduled a fix, which was implemented on February 6, 2024. The root cause was traced back to a failure in updating the online OCSP responders to comply with the SHA-1 sunset date. Entrust has since updated its monitoring procedures and operational protocols to prevent similar issues in the future.
Chronology
- Operations reviewed OCSP Watch and identified the SHA-1 signing issue.
- Authorization to fix the issue was confirmed.
- The fix was applied to production.
- Monitoring was updated to ensure compliance.
- All actions were completed, and the incident was requested to be closed.
Participants
Bruce Morton
Aaron
Mathew Hodson
Amir Aamidi
Clint Wilson
External References
Similar Local Cases
Entrust: clientAuth TLS Certificates without serverAuth EKU
Entrust: Failure to revoke EV TLS certificates issued before CPS update
Entrust: TLS Certificate issued with a key that is impacted by the Close Primes vulnerability
Entrust: IP Address in dNSName form
Entrust: Failure to revoke a certificate
Entrust: Incorrect keyUsage for ECC certificate
Entrust: Test Website Certificates Expired
Entrust: Printable String Constraint Failure