← Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) cases
Bugzilla #1884532
Certificate Misissuance
ACCV: Certificates issued with cRLIssuer in CDP extension
RESOLVED
FIXED
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)
AI Summary
The Government of Spain's ACCV issued over 837 certificates containing the cRLIssuer field in the CRL Distribution Points extension, which violates the Baseline Requirements. The issue was identified on March 9, 2024, following a routine review, leading to an urgent meeting and confirmation of misissuance. All affected certificates were revoked by March 14, 2024. The root cause was attributed to manual verification processes and a lack of a comprehensive matrix for certificate profile fields. ACCV has since implemented corrective actions, including improved protocols and additional linting tools to prevent future occurrences.
Chronology
- Baseline Requirements for TLS 2.0.0 became effective.
- Misissuance confirmed; urgent meeting held.
- All affected certificates revoked.
- New protocols for incident response implemented.
- Pkilint added as a pre-linting tool.
Participants
Jose Amador
Ryan Dickson
B. Wilson
External References
Similar Local Cases
ACCV: Insufficient serial number entropy
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates
NAVER Cloud Trust Services: Incorrect keyUsage for ECC certificate
Microsec: Certificate validity period greater than 398 days
GlobalSign: EV certificate with wildcard domain in common name and SAN
Certigna: TLS certificates with Basic constraint non-critical
Actalis: Certificates issued with invalid RDN order
eMudhra: emSign CA Invalid OrganizationalUnitName