← China Financial Certification Authority (CFCA) cases
Bugzilla #2031281
Certificate Problem Report
CFCA: OCSP Responder Certificate Profile Deviations and OCSP Service Issues
ASSIGNED
China Financial Certification Authority (CFCA)
AI Summary
The China Financial Certification Authority (CFCA) faced multiple non-conformance issues with its OCSP Responder certificates, including unauthorized Key Usage flags, missing required extensions, and prohibited extensions. These issues were reported by a third-party security researcher on April 7, 2026. The incident was not detected in a timely manner due to the disclosure being made outside the official Certificate Problem Report mechanism. CFCA has since reissued the affected certificates and implemented several corrective actions, including updates to their compliance processes and infrastructure checks.
Chronology
- CFCA received a report from a security researcher regarding OCSP Responder certificate issues.
- All OCSP Responder certificates were reissued with correct profiles.
- CFCA submitted a closure report detailing remediation actions taken.
Participants
songxinlei@gmail.com
External References
Similar Local Cases
CFCA: Failed to respond a Certificate Problem Report within 24 hours which violates Section 4.9.5 of the TLS BRs
CFCA: CRL signatureAlgorithm Missing NULL Parameter (RFC 4055 Section 5)
CFCA: invalid dnsNames
CFCA: Wrong SerialNumber encoding
CFCA: certificate basicConstraints extension not marked as critical
CFCA: Invalid TLD in SAN
CFCA: Delayed reporting of revocation of an intermediate CA certificate
CFCA: EV certificate with wrong PostalCode&Street