← Sectigo cases
Bugzilla #1985307
Certificate Problem Report
Sectigo: OCSP and CRL traffic not being proxied for 3 Subordinate CAs
RESOLVED
FIXED
Sectigo
AI Summary
On August 26, 2025, Sectigo identified that CRLs issued by three newly established Subordinate CAs were returning a 404 response, and OCSP responses were unauthorized. This issue led to a halt in certificate issuance from these CAs. The problem was traced back to the CDN proxy not properly forwarding the necessary traffic, despite the endpoints being operational. The incident was resolved the same day, and Sectigo has since updated its internal policies to prevent recurrence.
Chronology
- CRLs and OCSP responses for 3 Subordinate CAs were found unavailable.
- Issuance from the affected Subordinate CAs was halted.
- The incident was resolved by 13:34 UTC.
- All action items related to the incident were completed.
Participants
Martijn Katerbarg
External References
Similar Local Cases
Sectigo: Certificate issuance by non-compliant Extant S/MIME CA
Sectigo: S/MIME certificates with (null) string value in subject attributes
Sectigo: Incorrectly included registrationStateOrProvince in PSD-based cabfOrganizationIdentifier extension
Sectigo: HTML encoded characters in subject attribute values
Sectigo: Intermittent OCSP unauthorized responses for certificates older than 15 minutes
Sectigo: Failure to reply to Certificate Problem Reports within 24 hours
Sectigo: Partial OCSP response publication delay for newly issued certificates
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value