← Sectigo cases
Bugzilla #1897538
Certificate Problem Report
Sectigo: Incorrectly included registrationStateOrProvince in PSD-based cabfOrganizationIdentifier extension
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a misissuance involving two QWAC PSD2 TLS certificates, where one certificate incorrectly included a registrationStateOrProvince in the cabfOrganizationIdentifier extension. The issue arose from a bug in their code that incorporated the NCA value into the registrationStateOrProvince field. Sectigo has since halted the issuance of such certificates and is investigating the impact on other certificates. A patch was deployed to resolve the issue, and a complete incident report was promised by May 29, 2024.
Chronology
- Received a call about potentially misissued certificates.
- Confirmed one additional misissued certificate.
- Initiated customer contact regarding the situation.
- Scheduled revocation event for both misissued certificates.
- Promised completion of the incident report.
Participants
Martijn Katerbarg
Ryan Dickson
Clint Wilson
External References
Similar Local Cases
Sectigo: Failure to invalidate Email DCV Random Values after 30 days
Sectigo: Certificate issuance by non-compliant Extant S/MIME CA
Sectigo: S/MIME certificates with (null) string value in subject attributes
Sectigo: Issuance of ECC leaf certificates with non-DER encoded keyUsage
Sectigo: Incomplete Subject organizationName
Sectigo: HTML encoded characters in subject attribute values
Sectigo: Failure to block disallowed LDH labels in domain names
Sectigo: SC45 DCV Reuse Error