← certSIGN cases
Bugzilla #2046230
Certificate Problem Report
certSIGN: Inconsistent revocation status (CRL "revoked" vs OCSP "good") for intermediate CA "certSIGN Web CA"
ASSIGNED
certSIGN
AI Summary
The certSIGN Web CA has been reported to have inconsistent revocation statuses between its CRL and OCSP responses. The CRL indicates the certificate is revoked, while the OCSP response states it is good. This discrepancy affects numerous end-entity certificates that chain through the certSIGN Web CA. The issue arose during a scheduled revocation ceremony, where an error in the automated workflow led to the CRL being published before the OCSP database was synchronized. certSIGN has acknowledged the problem and is working on remediation.
Chronology
- Revocation ceremony for certSIGN Web CA conducted.
- Additional observations provided detailing the inconsistency.
- Preliminary incident report issued by certSIGN.
Participants
Glenn van Es
Gabriel PETCU
External References
Similar Local Cases
certSIGN: Incorrect data in stateOrProvinceName
certSIGN: Delayed response to CPR
certSIGN: Delayed revocation
certSIGN: Missing certificate from the list of bad order subject attributtes
certSIGN: Certificates with incorrect Subject attribute order
certSIGN: certificates with delayed SCT signature
certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #4 – Expired cert with bad order of attributes
certSIGN: delay in updating a Bugzilla ticket