← Netlock cases
Bugzilla #1938167
Certificate Problem Report
NETLOCK: CRL not published in DER Encoded Format
RESOLVED
FIXED
Netlock
AI Summary
NETLOCK faced an issue where Certificate Revocation Lists (CRLs) were published in PEM format instead of the required DER format, violating RFC 5280. This issue was reported on December 17, 2024, and confirmed the following day. NETLOCK quickly addressed the problem by changing the default encoding format to DER and replacing the affected CRLs. No impact on subscribers was identified, and all action items related to the incident have been completed, including the implementation of a validation process to prevent future occurrences.
Chronology
- Notification received regarding improperly encoded CRLs.
- Confirmation of the issue and initiation of corrective actions.
- Completion of the integration process for the pkimetal linter.
- Final testing and production rollout of the linter completed.
Participants
nagy.nikolett@netlock.hu
bugzilla@jesperkristensen.dk
martijn.katerbarg@sectigo.com
bwilson@mozilla.com
External References
Similar Local Cases
Microsoft PKI Services: CA Certificates not published in DER Encoded Format
FNMT: Invalid localityName
NETLOCK: Invalid CT data in issued certs (SABRE.CT misconfiguration)
NETLOCK: SSL certificates with OU field - revocation delay
NetLock: Non-BR-Compliant Certificate Issuance -- * in not the leftmost position in dnsName
NETLOCK: Pre-certificates revoked with certificateHold reason
NETLOCK: CRL Error on CRL Watch of NETLOCK DVCA CRL
Netlock: CA in AIA in PEM format