Certainly: Early CRL Entry Removal

On February 13, 2025, Certainly LLC deployed a version of Boulder that contained a logic bug, leading to the premature removal of some revoked certificates from the Certificate Revocation List (CRL). This incident was identified on March 18, 2025, after a notification from the Let's Encrypt team. Although the bug could have affected a significant number of certificates, further investigation revealed that Certainly's specific configuration prevented any actual compliance issues. The company has since implemented a fix and is enhancing its monitoring systems to prevent similar occurrences in the future.

1. 2025-01-27 Upstream commit containing bug in CRL generation code
2. 2025-02-13 Deployed Boulder release containing the bug
3. 2025-03-18 Received notification from Let's Encrypt
4. 2025-03-19 Preliminary incident report published
5. 2025-03-28 Revised evaluation of the incident published