← Chunghwa Telecom cases
Bugzilla #1887096
Certificate Misissuance
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
Chunghwa Telecom's GTLSCA identified a certificate misissuance issue involving approximately 6,450 certificates with incorrect Extended Key Usage (EKU) settings. The problem was reported on March 19, 2024, leading to the immediate revocation of three specific certificates and a broader investigation. Following an impact assessment, GTLSCA decided to automate the renewal of all affected certificates to minimize disruption. The root cause was traced to a misunderstanding of the EKU profile requirements under the new TLS Baseline Requirements, which was corrected on March 11, 2024. All remediation actions were completed by early September 2024.
Chronology
- Problem report received; initial revocations made.
- Incident report posted.
- All problematic certificates revoked.
- All action items completed; case closed.
Participants
Tsung-Min Kuo
Aaron Gable
Leo Fang
Rob Stradling
Amir Aamidi
External References
Similar Local Cases
SwissSign: difference in upper and lower case between CN field and SAN
Chunghwa Telecom: Test certificate with unregistered domain name
Sectigo: Invalid stateOrProvinceName
Let's Encrypt: Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU
Sectigo: EV Certificate issuance with incorrect subject:serialNumber attribute value
SwissSign: MPKI step-up process sets wrong JoI Locality
NetLock: Issuance of >398-day precertificates after 2020-09-01
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates