← TrustAsia Technologies, Inc. cases
Bugzilla #2011713
Certificate Problem Report
TrustAsia: ACME Authorization Reuse Non-Compliance
RESOLVED
FIXED
TrustAsia Technologies, Inc.
AI Summary
TrustAsia Technologies, Inc. faced a significant compliance issue when it was reported that their LiteSSL ACME service reused domain validation records across different accounts, leading to the misissuance of 143 DV certificates. The incident was identified on January 21, 2026, and the ACME issuance service was immediately suspended. All affected certificates were revoked, and the vulnerability was fixed the same day. A full incident report was published detailing the root causes and remediation steps taken, including enhancements to their validation processes.
Chronology
- Incident reported and ACME service suspended.
- Affected certificates revoked and vulnerability fixed.
- Final incident report published.
Participants
Ca.mail@trustasia.com
malcolm.doody@gmail.com
tjtncks@gmail.com
External References
Similar Local Cases
Chunghwa Telecom: OV TLS Server certificate issuance by GTLSCA without proper validation
SSL.com: DCV bypass and issue fake certificates for any MX hostname
TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB
Asseco DS / Certum: Unallowed key usage for EC public key (Key Encipherment)
DigiCert: IP in dnsName
DigiCert: Verizon: "Default City" in Subject:localityName
DigiCert: CAA Checking Issue
DigiCert: Random value in CNAME without underscore prefix