← Netlock cases
Bugzilla #2004699
Certificate Problem Report
Netlock: CA in AIA in PEM format
IN PROGRESS
Netlock
AI Summary
Netlock has reported a compliance issue where several Authority Information Access (AIA) HTTP endpoints returned issuer certificates in PEM format instead of the required DER format, violating RFC 5280 Section 4.2.2.1. This non-compliance was identified through an external community report. Although the issue does not affect the issuance or validity of TLS certificates, it impacts relying parties that enforce DER encoding. Netlock has initiated remediation efforts, including a planned production release to correct the AIA endpoints by January 2026. However, concerns have been raised regarding the timeliness and effectiveness of their incident response and compliance practices.
Chronology
- Non-compliant AIA configuration introduced for pdvca.
- Non-compliant AIA configuration introduced for trustev3 and qtrustev3.
- Non-compliant AIA configuration introduced for DVCA.
- External community report received identifying the AIA encoding non-compliance.
- Bugzilla bug filed by NETLOCK.
- Production deployment of initial corrective fix completed.
- Further issues identified with PEM encoding still being served.
- Development work for additional corrective fix initiated.
- Planned deployment of additional corrective fix.
Participants
Roland Kaluha
Dean Reed
Nikolette Nagy
R. Daurne
D. Hollenback
B. Wilson
External References
Similar Local Cases
Netlock: unspecifed revocation code (0) in CRL
NETLOCK: Invalid CT data in issued certs (SABRE.CT misconfiguration)
NETLOCK: Missing CDP Disclosure in CCADB
NETLOCK: Unavailability of the document repository
Actalis: revocation delay for certificates issued with invalid RDN Order
NETLOCK: Pre-certificates revoked with certificateHold reason
NETLOCK: CRL not published in DER Encoded Format
NETLOCK: Disclosed CRL is expired