← GoDaddy cases
Bugzilla #1909948
Certificate Misissuance
GoDaddy: Edge Case for Data Reuse Outside of Timeframes
RESOLVED
FIXED
GoDaddy
AI Summary
GoDaddy identified a mis-issued DV UCC certificate during a 3% audit, where prior domain validations exceeded the 398-day limit. The certificate was revoked within the required 24-hour timeframe. A bug in the pre-issuance validation logic was discovered, affecting a limited number of additional certificates. GoDaddy has since deployed a fix and completed all action items related to the incident, with no further issues reported.
Chronology
- Internal 3% Audit reports potential mis-issued certificate
- Reported mis-issued certificate revoked
- Bug fix and additional unit tests rolled out to production
- Synthetic monitoring deployed and operating as expected
- Closure of the incident matter planned
Participants
star@godaddy.com
bwilson@mozilla.com
External References
Similar Local Cases
GoDaddy: Misissuance of Cross Signed Certs
GoDaddy: Random Value Vulnerability in Domain Validation Method
GoDaddy: Improper DER results in failure to comply with RFC 5280 - Invalid characters in PrintableString
Telekom Security: Certificate with invalid FQDN
Sectigo: Subject field with unvalidated information included in certificates
SSL.com: Issuance of TLS certificates with domain validation methods prohibited by SC-45
SSL.com: S/MIME certificates issued prior to validation
iTrusChina: Issuance of certificates using keys previously reported as compromised