← D-TRUST cases
Bugzilla #2010600
Certificate Problem Report
D-Trust: CRLs of CAs issuing CA certificates exceed the maximum validity period
RESOLVED
FIXED
D-TRUST
AI Summary
D-Trust published a set of CRLs for CAs issuing CA certificates with a nextUpdate value that exceeded the maximum permitted validity period by approximately one day. This non-compliance was identified through a third-party report and was corrected promptly. The root cause was attributed to incomplete compliance controls that focused on the CRL replacement cycle rather than the encoded validity fields. Remedial actions included correcting the CRL profile and extending automated linting to ensure future compliance.
Chronology
- Non-compliance start date due to CRLs exceeding maximum validity period.
- Non-compliance identified through third-party report.
- First corrected CRL produced and published.
Participants
Ana Laura Martorano
External References
Similar Local Cases
D-Trust: Missing Pre-Sign Linting for S/MIME Issuing CAs
D-Trust: CRL URL Disclosure
D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates
D-Trust: Defective certificate incident reporting form
D-TRUST: Precertificate OU > 64 Characters
D-TRUST: Issuance of non-conformant SSL certificate
D-TRUST: Certificate with RSA key where modulus is not divisible by 8
D-Trust: "unknown" OCSP response for issued certificates