← Internet Security Research Group cases
Bugzilla #2038351
Certificate Misissuance
Let's Encrypt: Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU
RESOLVED
Internet Security Research Group
AI Summary
Let's Encrypt issued three Cross-Certified Subordinate CA Certificates that did not comply with CCADB policy, specifically lacking the required serverAuth EKU extension. This non-compliance was identified on May 8, 2026, leading to a temporary halt in certificate issuance while the issue was assessed. The affected certificates were revoked on May 13, 2026, and replacements were issued that adhered to both CCADB Policy and Let's Encrypt's updated CP/CPS. The incident was reported by a third party and has been addressed with a full incident report to be published by May 22, 2026.
Chronology
- Three Cross-Certified Subordinate CA Certificates issued
- Non-compliance identified
- Affected certificates revoked
- Full incident report to be published
Participants
Phil Porada
Pawel Szafka
Aaron Gable
Brad Let's Encrypt
Petra Barzin
External References
Similar Local Cases
Let's Encrypt: TLS Using ALPN Allows Additional Identifiers in Challenge Certificate
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
Let's Encrypt: Mis-issued certificates related to SC48v2
Let's Encrypt: CAA Misissuances
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA
SwissSign: difference in upper and lower case between CN field and SAN
FNMT: Missisuance of web site certificates without CA/Browser Forum’s reserved policy OID