← Entrust cases
Bugzilla #1883843
Certificate Misissuance
Entrust: EV TLS Certificate cPSuri missing
RESOLVED
FIXED
Entrust
AI Summary
Entrust reported a misissuance of over 26,000 EV TLS certificates due to the omission of the required `cPSuri` in the `certificatePolicies` extension. This issue arose from changes made to comply with the TLS Baseline Requirements following Ballot SC-62v2. After confirming the misissuance, Entrust initially chose not to stop issuing these certificates, citing potential disruption to customers. However, following community feedback and discussions with browser vendors, they ceased issuance and corrected the certificate profile. Entrust has since committed to revoking the affected certificates and improving their incident management procedures.
Chronology
- Report received about missing cPSuri in certificates.
- Mis-issuance confirmed; investigation initiated.
- Stopped issuing mis-issued certificates and fixed the profile.
- Notified customers of the need to revoke affected certificates.
Participants
Paul van Brouwershaven
Ryan Dickson
Amir Aamidi
Mathew Hodson
JR Moir
Aaron
Ben Wilson
External References
Similar Local Cases
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error
Entrust: CPS typographical (text placement) error
Entrust: Jurisdiction Locality Wrong in EV Certificate
Certigna: TLS certificates with Basic constraint non-critical
Digicert: Failure to include CPS URI in 1 certificate
Telia: Certificates Issued with lower case value in subject:countryName
SwissSign: MPKI step-up process sets wrong JoI Locality
GlobalSign: TLS OV Certificate containing unverified information