HARICA: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service

HARICA identified an issue with the EJBCA ACME Service's implementation of Multi-Perspective Issuance Corroboration (MPIC), which failed to execute Domain Control Validation (DCV) from the Primary Network Perspective. This oversight affected certificates issued between March 14, 2025, and April 6, 2026. Upon discovering the problem, HARICA promptly initiated a mass revocation plan, replacing and revoking all affected certificates within the required timeframe. The root cause was attributed to an incorrect assumption during the evaluation of the MPIC functionality, leading to insufficient validation of the entire DCV workflow. HARICA has since strengthened its procedures to ensure comprehensive compliance verification for future software changes.

1. 2025-03-14 HARICA enables MPIC on DCV for EJBCA's ACME service
2. 2026-04-06 Non-compliance identified and mass revocation plan activated
3. 2026-04-07 All affected certificates revoked
4. 2026-05-15 Incident report closure summary submitted