← China Financial Certification Authority (CFCA) cases
Bugzilla #1949131
Certificate Misissuance
CFCA: BasicConstraints are not marked as critical certificates are missing and therefore not revoked
RESOLVED
FIXED
China Financial Certification Authority (CFCA)
AI Summary
The China Financial Certification Authority (CFCA) identified that the basicConstraints extension of certain certificates was not marked as critical, leading to the issuance of non-compliant certificates. Following a notification from a third party, CFCA revoked over 2,000 certificates between September 2023 and March 2024. Despite the revocation efforts, three certificates issued in January 2024 were found to be non-compliant. CFCA has since implemented measures to prevent similar issues in the future, including system upgrades and improved revocation processes.
Chronology
- TLS BR 2.0.0 takes effect; certificates issued do not meet basicConstraints requirements.
- CFCA completes system configuration change to mark basicConstraints as critical.
- CFCA is notified of three non-compliant certificates.
- CFCA revokes the last of the identified non-compliant certificates.
Participants
Gao Fei
External References
Similar Local Cases
CFCA: EV Certificates misissued with incorrect businessCategory
CFCA: certificate with an incorrect OrganizationName
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints
Telia: S/MIME Misissuance incorrect AIA id-ca-caIssuer http:URI
Telia: invalid IP value in SAN DNS field
SwissSign: Certificate with key length 4098 bit
Sectigo: Incorrect EV businessCategory
Sectigo: State name in localityName