certSIGN: incorrect CRL URL added in CCADB during cross-certificate update

This case reports an incident involving certSIGN’s CCADB data. The certSIGN operator updated the data of a cross-certificate in CCADB and an incorrect URI was added in the CRL path field. certSIGN states that the error was corrected immediately after the incorrect URI was added, and that the cross-certificate was for a “TO BE replacement” on a dedicated PKI system. certSIGN also states that no certificates were affected because the cross-certificate was created for a time when the new PKI system would be included in browsers. The incident was disclosed as part of certSIGN’s root cause analysis of another incident (Bug 2046230) and via an email from Ophelia Pague on 2026-06-11. The reported contributing factors include lack of automated validation tooling in CCADB and missing operator validation/double-checking; the CCADB record was manually corrected on 2026-06-11 05:30.

1. 2026-06-10 certSIGN updated CCADB cross-certificate data and an incorrect CRL URI was entered.
2. 2026-06-11 certSIGN corrected the CCADB CRL URI after identifying the issue and reported the incident.

1. 2026-06-16 gabriel.petcu@certsign.ro — Opened the bug with a preliminary incident report stating an incorrect CRL path URI was added during a CCADB cross-certificate update and then corrected immediately.
2. 2026-06-19 gabriel.petcu@certsign.ro — Provided a full incident report with timeline, impact statement (no certificates affected), and root cause analysis details (lack of CCADB validation tooling and missing operator double-check).