← iTrusChina Co., Ltd. cases
Bugzilla #1927384
Certificate Misissuance
iTrusChina: Issuance of certificates using keys previously reported as compromised
RESOLVED
FIXED
iTrusChina Co., Ltd.
AI Summary
iTrusChina issued 41 certificates using private keys that had previously been reported as compromised, violating TLS BRs. The incident was triggered by a system bug that incorrectly set the revocation reason to 'keyCompromise' for non-compromised keys, compounded by staff misunderstanding of relevant requirements. Following the discovery, iTrusChina has revoked all affected certificates and implemented training and system updates to prevent future occurrences. The company has completed all action items related to this incident and is requesting closure.
Chronology
- iTrusChina notified by Google about potential mis-issued certificates.
- Investigation started and preliminary incident report filed.
- Incident report detailing root causes and remediation published.
- Incident report closure summary completed.
- All action items completed; request for incident closure submitted.
Participants
vTrus_contact@itrus.cn
dzacharo@harica.gr
bwilson@mozilla.com
rob@sectigo.com
External References
Similar Local Cases
IdenTrust: unintended creation of a Root CA certificate
CFCA: certificate with an incorrect OrganizationName
Hongkong Post: Invalid EV cert businessCategory
SwissSign: EV code in JurisdiktionStateOrProvinceName
Actalis: Issuance of certificate using keys previously reported as compromised
Financijska agencija (Fina): Mis-issued certificates
HARICA: S/MIME certificate issuance with incorrect commonName
GoDaddy: Edge Case for Data Reuse Outside of Timeframes