← Actalis cases
Bugzilla #2012157
Certificate Misissuance
Actalis: Issuance of certificate using keys previously reported as compromised
RESOLVED
FIXED
Actalis
AI Summary
Actalis reported an incident involving the issuance of 18 certificates using private keys that had previously been revoked due to compromise. The issue was identified following a third-party report on January 23, 2026, leading to an internal investigation. All affected certificates were revoked by February 6, 2026. The root cause was a misconfiguration in the control mechanism that failed to prevent issuance against known compromised keys. Actalis has since implemented corrective actions and committed to strengthening its change management processes to prevent future occurrences.
Chronology
- Incident reported by third party
- Update on analysis and identification of additional affected certificates
- All affected certificates revoked
- Incident report closure summary issued
Participants
Federica Marti
dzacharo@harica.gr
marco.menonna@staff.aruba.it
incident-reporting@ccadb.org
External References
Similar Local Cases
PostSignum: Mis-issued certificate
Actalis: Certificates issued with invalid RDN order
iTrusChina: Issuance of certificates using keys previously reported as compromised
Firmaprofesional: Misissuance of TLS Subordinate CA "AC Firmaprofesional - Secure Web 2024"
Actalis: Issuance of intermediates after 2020-08-20 that do not comply with Mozilla Policy and the Baseline Requirements
Actalis: Insufficient serial number entropy
SwissSign: EV code in JurisdiktionStateOrProvinceName
OATI: Misissuance detected by PKIMetal