← Sectigo cases
Bugzilla #1991196
Certificate Problem Report
Sectigo: OCSP, caIssuers, and CRL endpoints unavailable for a single Subordinate CA
RESOLVED
FIXED
Sectigo
AI Summary
On September 25, 2025, Sectigo reported that the OCSP, caIssuers, and CRL endpoints for a Subordinate CA became unavailable due to the domain expiring and not being under their control. This incident affected 17 leaf certificates, all of which were subsequently revoked. The root cause was identified as a failure to transfer the domain during the separation of Sectigo from Comodo Group in 2017. Sectigo has committed to tightening controls around Subordinate CA endpoints to prevent future occurrences.
Chronology
- Domain comodoca4.com expires.
- Sectigo identifies the issue with OCSP and CRL endpoints.
- Non-compliance ends after revocation of affected certificates.
- Review of endpoints completed and incident report closure requested.
Participants
Martijn Katerbarg
Incident Response Team
External References
Similar Local Cases
Sectigo: Failure to invalidate Email DCV Random Values after 30 days
Sectigo: OV reuse data applied for wrong organization
Sectigo: Certificate issuance by non-compliant Extant S/MIME CA
Sectigo: Failure to block disallowed LDH labels in domain names
Sectigo: SC45 DCV Reuse Error
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value
Sectigo: Temporary failure to publish OCSP responses for newly issued certificates
Sectigo: Failure to reply to Certificate Problem Reports within 24 hours