← HARICA cases
Bugzilla #1943596
Certificate Misissuance
HARICA: S/MIME certificate issuance with incorrect commonName
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified a flaw in their S/MIME certificate issuance workflow where the `organizationName` was incorrectly included in the `commonName` field instead of the expected combination of `givenName` and `surname`. This issue was detected on January 22, 2025, leading to a suspension of certificate issuance until a fix was implemented the following day. A total of 68 mis-issued certificates were identified, with 43 requiring revocation. All affected certificates were revoked by January 31, 2025, and additional unit tests and realistic test vectors were implemented to prevent future occurrences.
Chronology
- Flaw in S/MIME certificate issuance detected.
- Fix deployed and certificate issuance resumed.
- All affected certificates revoked.
- Incident report closure summary submitted.
Participants
Dimitris Zacharopoulos
bwilson@mozilla.com
External References
Similar Local Cases
HARICA: TLS Server certificate issuance without proper validation
HARICA: 3 EV TLS Certificates without L or ST
HARICA: subject:organizationIdentifier using VATEL as a prefix for tax identifier
FNMT: Missisuance of web site certificates without CA/Browser Forum’s reserved policy OID
Camerfirma: certificate with an incorrect OrganizationName
Sectigo: Subject field with unvalidated information included in certificates
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
CFCA: certificate with an incorrect OrganizationName