← Entrust cases
Bugzilla #1887705
Delayed Revocation
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU
RESOLVED
FIXED
Entrust
AI Summary
Entrust experienced a significant delay in revoking clientAuth TLS certificates that lacked the serverAuth EKU. The issue arose after the CA was made aware of the misissuance, with a commitment to revoke affected certificates within five days. However, various challenges, including customer dependencies and inadequate automation, led to a prolonged revocation timeline. As of June 28, 2024, all affected certificates have been revoked, and Entrust has committed to improving their processes to prevent future delays.
Chronology
- Entrust began contacting impacted customers regarding certificate replacement.
- All outstanding certificates were successfully revoked.
- Entrust confirmed that all certificates have been revoked.
Participants
Paul van Brouwershaven
Bruce Morton
Ngook Kong
Mike Shaver
Wayne
Dimitris Zacharopoulos
Tim Callan
R. Daurne
External References
Similar Local Cases
Microsec: Delayed revocation of the misissued certificates
Entrust: Late Revocation due to SHA-256 hash algorithm
Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdiction
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates
Entrust: Late Revocation for Invalid State/Province Issue
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical)