← Amazon Trust Services cases
Bugzilla #1914893
Technical Compliance
Amazon Trust Services: CRL not DER-encoded
RESOLVED
FIXED
Amazon Trust Services
AI Summary
Amazon Trust Services faced an issue where a Certificate Revocation List (CRL) was served in PEM format instead of the required DER format, violating RFC5280. This was due to a recent change to an automated deployment process that did not include checks for CRL format. The issue was identified during a regular review, and corrective actions were taken to ensure compliance. The CRL was updated to the correct format shortly after the issue was discovered, and Amazon Trust Services has since requested the case be closed as resolved.
Chronology
- Deployed new CRL to the specified URI.
- Regular review of CRLWatch identified a parsing error.
- Incident identified during the next regular review.
- Updated CRL in correct format completed deployment.
- Requested closure of the issue as resolved.
Participants
Andrew Ayer
Trevoli (Amazon Trust Services)
bwilson@mozilla.com
External References
Similar Local Cases
Amazon Trust Services: Missing CAA Check For Test Website Certificates
Amazon Trust Services: Failure to comply with RFC 5280
Microsoft PKI Services: 3-Month Access Review Process Failure
Microsoft PKI Services: Trusted Role Control Failure
Apple: CRL issuance frequency deviates from CPS in some cases
Sectigo: Late termination of privileged access to Certificate Systems
Entrust: Non-BR-Compliant OCSP Responder
PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #6 – Access Control Management