← Microsoft Corporation cases
Bugzilla #1979475
Certificate Misissuance
Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints)
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft PKI Services identified a compliance issue involving the issuance of 784 Public TLS end entity certificates that did not include the Basic Constraint extension, which is required by their Certificate Practice Statement (CPS). The issue was discovered through enhanced monitoring and all affected certificates were revoked promptly. The root cause was traced to legacy profiles that lacked the necessary extension, which were reused without proper validation against updated CPS requirements. Remediation actions have been implemented to prevent future occurrences, including a validation checklist and internal linting rules.
Chronology
- Non-compliance start date
- Non-compliance identified
- All impacted certificates revoked
Participants
CentralPKI@microsoft.com
External References
Similar Local Cases
Microsoft PKI Services: Misissuance detected by PKIMetal
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD
Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax
Microsoft PKI Services: DV certificate issued with OV fields
TrustAsia: SSL DV Mis-issuance against CP/CPS (IPAddress)
IdenTrust: Validation Source for EV Certificates not Publicly Disclosed
FNMT: Missisuance of web site certificates without CA/Browser Forum’s reserved policy OID