← SSL.com cases
Bugzilla #1938236
Certificate Problem Report
SSL.com: Failure to process CAA records from one SubCA
RESOLVED
FIXED
SSL.com
AI Summary
SSL.com identified a failure to properly configure the CAA validator for a CA certificate, affecting 57 TLS certificates, of which 7 were still active. The issue was discovered during a retroactive verification process and was promptly remediated, with all active certificates revoked within 24 hours. The root cause was attributed to a misconfiguration during the setup process and insufficient peer review due to the complexity of changes made. SSL.com has since updated its procedures to prevent future occurrences.
Chronology
- Discovered misconfiguration of CAA validator
- Revoked all 7 active certificates
- Completed action items to improve configuration processes
- Incident report closure expected
Participants
Rebecca Kelley
secauditor@ssl.com
bwilson@mozilla.com
External References
Similar Local Cases
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
SSL.com: CAA Empty set handling results in Wildcard issuance
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
SSL.com: Delayed revocation of certificate with weak key
SSL.com: Delay in publishing OCSP responses
SSL.com: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service