← Asseco Data Systems S.A. cases
Bugzilla #1879845
Certificate Misissuance
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName
RESOLVED
FIXED
Asseco Data Systems S.A.
AI Summary
Certum issued 96 S/MIME certificates with incorrect subjectAlternativeName values due to a system error. The issue was identified on February 12, 2024, leading to a suspension of certificate issuance and a subsequent fix deployed on February 13, 2024. All affected certificates were revoked, and the compliance team has since implemented additional testing scenarios to prevent future occurrences. The incident report highlighted both the quick resolution and the oversight during application testing.
Chronology
- System version with error deployed
- Error identified during routine review
- System fix deployed and issuance resumed
- All affected certificates revoked
- Linting for S/MIME certificates implemented
Participants
Kateryna Aleksieieva
Aaron Gable
Ben Wilson
External References
Similar Local Cases
Asseco DS / Certum: Delayed revocation of EV certificates
SwissSign: difference in upper and lower case between CN field and SAN
SwissSign: Mis-Issuance of S/MIME certificates
Asseco DS / Certum: Non-BR-Compliant Issuance - Debian Weak Keys
TWCA: CA certificate without EKU
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
Asseco DS / Certum: EV Certificates issued with wrong Business Category
Asseco DS / Certum: Invalid value in SAN dNSName