← Certigna cases
Bugzilla #1983955
Certificate Problem Report
Certigna: Subscriber certificate with EKU clientAuth only
RESOLVED
FIXED
Certigna
AI Summary
Certigna Services CA issued client authentication certificates that only included the clientAuth Extended Key Usage (EKU) without the required serverAuth EKU or CA/Browser Forum reserved policy identifier. This raised compliance concerns with the TLS Baseline Requirements. Following a notification from Sectigo, Certigna suspended the issuance of these certificates and initiated a mass revocation of affected certificates. All impacted subscribers were contacted, and the transition to a new dedicated client authentication CA was expedited. The incident has been resolved with all corrective actions completed.
Chronology
- Incident identified and certificate issuance suspended.
- Mass revocation of affected certificates executed.
- Incident closure summary provided.
Participants
r.delval@certigna.com
chrome-root-program@google.com
incident-reporting@ccadb.org
External References
Similar Local Cases
Certigna: Multiple Reserved Certificate Policy Identifiers in CA certificates
Dhimyotis / Certigna: Failure to revoke in the timeline specified by the BRs
Apple: Public Key Reuse
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ)
certSIGN: delay in updating a Bugzilla ticket
Certigna: Revocation delay for TLS certificates with basic constraint not marked as critical
Certigna: ARL without reasoncode for recent revoked CA certificates
Certigna: AIA CA issuer field pointing to PEM encoded cert