Sectigo: Signed OCSP responses not saved for publication due to application restart loop

ASSIGNED Sectigo

This summary was auto-generated by AI and revised by me when needed — accuracy improves with each update. Always refer to the official Bugzilla thread as the authoritative source. If you spot an inaccuracy, let me know via the contact form.

AI Summary

Sectigo reported an OCSP incident after noticing spikes in its OCSP replication system on June 15, 2026. During investigation, Sectigo identified that its OCSP signing application (CertStatus) k8s pod was restarting every minute, creating a restart loop. Sectigo stated that while replication lag stayed around 5 minutes and the immediate issue was resolved, it later received a support ticket and a CPR reporting “unauthorized” OCSP responses for certificates issued on June 15. Sectigo’s preliminary investigation indicated that OCSP responses were at least partially processed and signed by its HSMs, but some responses never made it to publication. Sectigo said it has a failsafe (continuous refresh signing) that normally signs a new response within a few minutes, but that a backlog in the queue had been growing due to the restart loop, delaying signing and publication. The bug is currently marked ASSIGNED and Sectigo stated it is further investigating the incident.

Model: gpt-5.4-nano Generated: 2026-06-19 19:44 UTC Confidence: 0.60 1 comment

Chronology

2026-06-15 Sectigo observed spikes in its OCSP replication system and identified an OCSP signing application restart loop.
2026-06-17 Sectigo received a support ticket and a CPR reporting “unauthorized” OCSP responses for certificates issued on June 15.

Thread Activity

2026-06-17 martijn.katerbarg@sectigo.com — Martijn Katerbarg submitted a preliminary incident report describing the CertStatus restart loop, partial signing by HSMs, and OCSP responses not being published, and noted further investigation.

Participants

martijn.katerbarg@sectigo.com

External References

Original Bugzilla Case

Similar Local Cases

#1740493 RESOLVED Ca Certificate Compliance Certificate Misissuance Self Reported Incident Opened 2021-11-10 · Closed 2023-02-22 · 77% similar

Sectigo: Failure to block disallowed LDH labels in domain names

AI Summary CA Owner

#1741026 RESOLVED Ca Certificate Compliance Revocation Issue Self Reported Incident Opened 2021-11-13 · Closed 2023-02-22 · 77% similar

Sectigo: Incorrect JOI for federal credit unions

AI Summary CA Owner

#1796803 RESOLVED Self Reported Incident Opened 2022-10-21 · Closed 2023-02-22 · 77% similar

Sectigo: Issuance of ECC leaf certificates with non-DER encoded keyUsage

AI Summary CA Owner

#1945197 RESOLVED Self Reported Incident Audit Delay Opened 2025-01-31 · Closed 2025-02-28 · 77% similar

Sectigo: Late receipt and disclosure to CCADB of ETSI audit letters

AI Summary CA Owner

#1994454 RESOLVED Problem Reporting Failure Opened 2025-10-15 · Closed 2025-12-11 · 77% similar

Sectigo: Failure to reply to Certificate Problem Reports within 24 hours

AI Summary CA Owner

#1942651 RESOLVED Self Reported Incident Policy Document Issue Opened 2025-01-20 · Closed 2025-02-14 · 76% similar

Sectigo / SSL.com: Late disclosure of updated SSL.com CP/CPS to CCADB

AI Summary CA Owner

#1718785 RESOLVED Self Reported Incident Revocation Issue Opened 2021-06-30 · Closed 2024-06-30 · 70% similar

Sectigo: 2020 failure to respond to CPRs discovered

AI Summary CA Owner

#2038351 ASSIGNED Ca Certificate Compliance Incident Self Reported Incident Certificate Misissuance Opened 2026-05-08 Still Open · 69% similar

Let's Encrypt: Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU

AI Summary CA Owner