← Chunghwa Telecom cases
Bugzilla #2012274
Certificate Problem Report
Chunghwa Telecom: Issuance of certificate using keys previously reported as compromised
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
On January 23, 2026, Chunghwa Telecom (CHT) was notified of certificates issued using a private key that had previously been revoked due to key compromise. An investigation revealed that a missing system configuration allowed the issuance of certificates with compromised keys. A total of 8 affected OV certificates were identified, with 6 still valid at the time of detection. All affected certificates were revoked within 24 hours, and corrective measures were implemented to prevent future occurrences. CHT has committed to maintaining compliance with TLS Baseline Requirements and enhancing their validation processes.
Chronology
- Received third-party notification regarding compromised key usage.
- Investigation completed, identifying 8 affected certificates.
- Full incident report submitted.
- Action items for remediation completed.
- Incident report closure summary provided.
Participants
Tsung-Min Kuo
External References
Similar Local Cases
Chunghwa Telecom: Test Website certificate not revoked
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired
Chunghwa Telecom: OV TLS Server certificate issuance by GTLSCA without proper validation
Chunghwa Telecom: CA Certificates Published in PEM format
Chunghwa Telecom: Failure to respond to CPR within 24 hours
Chunghwa Telecom: Failure to check restrictive CAA record during Migration
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes)
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA