← SwissSign AG cases
Bugzilla #1929189
Certificate Misissuance
SwissSign: S/MIME certificates deviate from CPR
CLOSED
FIXED
SwissSign AG
AI Summary
SwissSign AG reported a misissuance of 30,967 sponsor-validated S/MIME certificates due to a deviation between the certificate profile in their public documents and the issued certificates. The issue arose from a misunderstanding regarding key usage combinations allowed in the certificates, which led to the issuance of certificates that did not comply with the Certificate Policy Requirements (CPR). All affected certificates were revoked promptly, and the CPR was updated to reflect the correct profile. Additionally, a new automation system was implemented to prevent future discrepancies.
Chronology
- Introduction of the new S/MIME NCP extended profile and publication of version 6 of the SwissSign CPR S/MIME
- Start issuing of Sponsor-validated S/MIME certificates according to updated CPR
- Revocation of all affected certificates completed
- CPR updated to mark the profile for ICA 2022-1 as retired
- Go-live with CPR automation after successful audit
Participants
Mike Guenther
Roman Fischer
Stephan Verbuecheln
External References
Similar Local Cases
SwissSign: S/MIME wrong key Usage
SwissSign: S/MIME LCP: CN with values other than email address
SwissSign: Missed revocation and opening Bugzilla
SwissSign: Mis-Issuance of S/MIME certificates
SwissSign: Certificate with key length 4098 bit
SwissSign: EV JurisdictionStateOrProvinceName - one certificate not selected for revocation
SwissSign: Certificate with key length 16258
SwissSign: MPKI step-up process sets wrong JoI Locality