← IdenTrust Services, LLC cases
Bugzilla #1895006
Certificate Misissuance
IdenTrust: unintended creation of a Root CA certificate
RESOLVED
FIXED
IdenTrust Services, LLC
AI Summary
On April 30, 2024, during a key ceremony intended for a Subordinate Certification Authority (CA), an incorrect command led to the unintended creation of a self-signed Root CA certificate. This certificate did not meet the Server Certificate Baseline Requirements and was disclosed in the Common CA Database (CCADB). IdenTrust has since revoked the malformed certificate and is committed to improving their processes to prevent similar incidents in the future. A detailed incident report is expected by May 17, 2024.
Chronology
- Unintended creation of a self-signed Root CA certificate during a key ceremony.
- Preliminary incident report disclosed.
- Revocation of the malformed self-signed Root CA certificate.
- Full incident report expected.
Participants
roots@identrust.com
agwa-bugs@mm.beanwood.com
rob@sectigo.com
amir@aaomidi.com
dzacharo@harica.gr
martijn.katerbarg@sectigo.com
corey.bonnell@digicert.com
mathew.hodson@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
IdenTrust: Mis-Issued EV Code Signing Certificate
PostSignum: Mis-issued certificate
CFCA: certificate with an incorrect OrganizationName
SSL.com: Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN
iTrusChina: Issuance of certificates using keys previously reported as compromised
IdenTrust: Cross-signed root certificate mis-issuance
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels