← IdenTrust Services, LLC cases
Bugzilla #2026351
Certificate Problem Report
Identrust: Root CrossSign, of dedicated Roots, missing EKU
RESOLVED
FIXED
IdenTrust Services, LLC
AI Summary
IdenTrust reported an incident involving the absence of Extended Key Usage (EKU) assertions in recently issued Root cross-sign certificates. This issue was identified through a third-party report, revealing that the EKU was missing at the Root level, which is necessary for cross-signing with multi-purpose roots. The non-compliance was noted to have started on January 26, 2026, and was resolved by revoking the affected certificates and updating internal policies to prevent future occurrences. All action items have been completed, and IdenTrust has committed to ongoing improvements in compliance with CCADB policies.
Chronology
- First Root Cross-Sign issued with missing EKUs
- Notified of the missing EKU by third-party
- Affected Cross-Signed Root certificates revoked
- All action items completed
- Final call for comments on the Incident Report
Participants
IdenTrust
External References
Similar Local Cases
IdenTrust: Failure to provide OCSP responses for valid ICA certificates
IdenTrust: Expired CRLs
IdenTrust: Incorrect response for OCSP validation
IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs
IdenTrust: EV TLS certificate with wrong jurisdiction state for private organization
IdenTrust: Missing Revocation Reasons in CRL
IdenTrust: CA Certificate not published in DER Encoded Format
IdenTrust: Unauthorized OCSP responses for cross-signed roots