← Microsoft Corporation cases
Bugzilla #1884461
Certificate Problem Report
Microsoft PKI Services: CA Certificates not published in DER Encoded Format
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft PKI Services identified that eight certificates published to the AIA repository were incorrectly encoded in PEM format instead of the required DER format, violating RFC 5280 Section 4.2.2.1. This issue was self-identified and did not halt certificate issuance, as the certificates themselves were not malformed. The team initiated a staged deployment to replace the affected certificates and update their publishing process to prevent future occurrences. All action items related to this incident have been completed.
Chronology
- Microsoft PKI Services published 8 CA certificates to the AIA file repository.
- Completed replacement of 8 old PEM encoded files with new DER encoded files.
- Updated AIA publishing process to check for DER encoding.
- All repair items related to the incident were completed.
Participants
u654666@disabled.tld
amir@aaomidi.com
jeremy.rowley@digicert.com
agwa-bugs@mm.beanwood.com
johnmas@microsoft.com
bwilson@mozilla.com
External References
Similar Local Cases
Microsoft PKI Services: Subject Key Identifiers in Some Subscriber Certificates Do Not Comply with RFC 5280
Microsoft PKI Services: Invalid Email Address for CPRs
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued
Microsoft PKI Services: CRL Publication Failures
Microsoft PKI Services: Subscriber certificate change made that was not compliant with CPS
Microsoft PKI Services: Failure to Update Full Incident Report within 14 days of discovering new root cause
Google Trust Services: SXG certificates issued without correctly checking CAA restrictions
Entrust: Jurisdiction issue in some EV TLS & Code Signing certificates