← Microsoft Corporation cases
Bugzilla #1944436 Certificate Problem Report

Microsoft PKI Services: Subject Key Identifiers in Some Subscriber Certificates Do Not Comply with RFC 5280

RESOLVED FIXED Microsoft Corporation
AI Summary

Microsoft PKI Services issued multiple non-expired Subscriber certificates with identical Subject Key Identifier (SKI) values, violating RFC 5280 requirements for uniqueness. This issue arose from a manual Certificate Signing Request (CSR) process that allowed non-compliant SKI values derived from a null SHA-1 hash. A total of 19 certificates were identified as impacted, including 12 unexpired and 7 expired. Microsoft has since implemented additional validation checks to ensure compliance with RFC 5280 and prevent recurrence of similar issues.

Model: gpt-4o-mini Generated: 2026-06-13 21:19 UTC Confidence: 1.00
Chronology
  1. Certificate Problem Report received from a researcher.
  2. Internal investigation initiated.
  3. Validation check for subjectKeyIdentifier compliance implemented.
  4. Evaluation of all certificate properties completed.
  5. Final incident report submitted.
Participants
u654666@disabled.tld stephan@verbuecheln.ch bwilson@mozilla.com pete@cooperjr.name johnmas@microsoft.com aaron@letsencrypt.org
External References
Original Bugzilla Case crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh crt.sh
Similar Local Cases
#1884461 RESOLVED Certificate Problem Report Opened 2024-03-08 · Closed 2024-05-20 · 74% similar
Microsoft PKI Services: CA Certificates not published in DER Encoded Format
AI Summary CA Owner
#1965612 RESOLVED Certificate Problem Report Opened 2025-05-10 · Closed 2026-05-04 · 72% similar
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829
AI Summary CA Owner
#1842121 RESOLVED Certificate Problem Report Opened 2023-07-07 · Closed 2023-09-29 · 66% similar
Microsoft PKI Services: CRL Publication Failures
AI Summary CA Owner
#1962830 RESOLVED Certificate Problem Report Opened 2025-04-26 · Closed 2025-06-20 · 61% similar
Microsoft PKI Services: Subscriber certificate change made that was not compliant with CPS
AI Summary CA Owner
#2034251 RESOLVED Certificate Problem Report Opened 2026-04-22 · Closed 2026-05-13 · 57% similar
Microsoft PKI Services: Failure to Update Full Incident Report within 14 days of discovering new root cause
AI Summary CA Owner
#1904257 RESOLVED Certificate Problem Report Opened 2024-06-23 · Closed 2024-06-30 · 57% similar
Microsoft PKI Services: Invalid Email Address for CPRs
AI Summary CA Owner
#1789521 RESOLVED Certificate Problem Report Opened 2022-09-06 · Closed 2024-05-09 · 55% similar
Let's Encrypt: Certificates issued to Elliptic Curve Debian Weak Keys
AI Summary CA Owner
#1905446 RESOLVED Certificate Problem Report Opened 2024-06-28 · Closed 2024-12-09 · 54% similar
IdenTrust: Unauthorized OCSP response on a Timestamp certificate
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action