← Entrust cases
Bugzilla #1886467
Certificate Problem Report
Entrust: clientAuth TLS Certificates without serverAuth EKU
RESOLVED
FIXED
Entrust
AI Summary
Entrust identified a compliance issue involving 15 EV certificates that were issued with the Extended Key Usage (EKU) attribute set to `id-kp-clientAuth` but lacking the required `id-kp-serverAuth` attribute. This incident affects a total of 1176 TLS certificates, which, while non-compliant, do not pose a security risk. The issue arose from a misunderstanding of the updated TLS Baseline Requirements, which now mandate the presence of the `id-kp-serverAuth` EKU. Entrust has since halted the issuance of such certificates and is working on corrective actions.
Chronology
- Suspicion of potential miss-issuance confirmed; incident response triggered.
- Issuance of non-compliant certificates stopped.
- Impacted customers notified to replace and revoke their certificates.
- All actions completed; closure of incident requested.
Participants
Paul van Brouwershaven
Ryan Dickson
Mathew Hodson
Bruce Morton
Dimitris Zacharopoulos
External References
Similar Local Cases
Entrust: CRL non-conformance with the TLS BRs
Entrust: EV Certificate missing Issuer’s EV Policy OID
Entrust: SSL Certificates issued with Un-verified IP Addresses
Entrust: Failure to revoke EV TLS certificates issued before CPS update
Entrust: OCSP response signed with SHA-1
Entrust: delayed revocation
Entrust: CRL missing revocation reasonCode
Entrust: Test Website Certificates Expired