← China Financial Certification Authority (CFCA) cases
Bugzilla #2049179 Repository Issue Problem Reporting Failure Externally Reported Incident

CFCA: OCSP responders returning “unauthorized” errors for three intermediate CA certificates

ASSIGNED China Financial Certification Authority (CFCA)
This summary was auto-generated by AI and revised by me when needed — accuracy improves with each update. Always refer to the official Bugzilla thread as the authoritative source. If you spot an inaccuracy, let me know via the contact form.
AI Summary

The bug reports that CFCA’s OCSP responders for three intermediate CA certificates issued under CFCA_Global_RSA_ROOT_G2—CFCA_DV_RSA_OCA_G2, CFCA_OV_RSA_OCA_G2, and CFCA_EV_RSA_OCA_G2—are returning “unauthorized” errors. The reporter states the root cause is that the OCSP responder signing certificates have not yet been issued by the offline Root CA, and that the OCSP system database has not been configured with the corresponding intermediate CA certificate data. The reporter also states that no subscriber certificates have been issued from this hierarchy. The report cites CA/Browser Forum Baseline Requirements Section 4.9.9 regarding OCSP status communication for certificates with an id-ad-ocsp AIA accessMethod. The bug thread indicates the incident disclosure source is a third-party report.

Model: gpt-5.4-nano Generated: 2026-06-23 19:07 UTC Confidence: 0.86 1 comment
Chronology
  1. A third-party reported that CFCA OCSP responders for three intermediate CA certificates are returning “unauthorized” errors.
Thread Activity
  1. songxinlei@gmail.com — Reported reproduction steps and described an OCSP “unauthorized” error affecting CFCA_DV_RSA_OCA_G2, CFCA_OV_RSA_OCA_G2, and CFCA_EV_RSA_OCA_G2, attributing it to missing OCSP responder signing certificates and missing OCSP database configuration for the intermediate CA data.
Participants
songxinlei@gmail.com
External References
Original Bugzilla Case
Similar Local Cases
#2047843 ASSIGNED Problem Reporting Failure Incident Repository Issue Opened 2026-06-16 Still Open · 73% similar
Certigna: Pre-certificates not recognised by the OCSP responder
AI Summary CA Owner
#2047952 ASSIGNED Problem Reporting Failure Opened 2026-06-16 Still Open · 72% similar
KIR: OCSP responder does not return status for precertificate
AI Summary CA Owner
#2048626 ASSIGNED Repository Issue Revocation Issue Problem Reporting Failure Opened 2026-06-18 Still Open · 68% similar
Kamu SM: Incorrect CRL Served at SSL CRL Distribution Point
AI Summary CA Owner
#2048995 ASSIGNED Problem Reporting Failure Ct Logging Issue Opened 2026-06-19 Still Open · 62% similar
eMudhra emSign PKI Services: OCSP Responder Returned "Unauthorized" for Some Pecertificates
AI Summary CA Owner
#708229 RESOLVED Common Ca Database Repository Issue Opened 2011-12-07 · Closed 2022-11-14 · 58% similar
GoDaddy's intermediate CA not in the Mozilla CA bundle
AI Summary CA Owner
#1970259 RESOLVED Certificate Misissuance Externally Reported Incident Opened 2025-06-03 · Closed 2025-08-26 · 57% similar
GoDaddy: Precertificates incorrectly logged to DigiCert SCT Logs
AI Summary CA Owner
#1320943 RESOLVED Revocation Issue Repository Issue Opened 2016-11-29 · Closed 2022-11-14 · 57% similar
Add revoked certificate Certification Authority of WoSign G2 issued by Certum CA root to OneCRL
AI Summary CA Owner
#2007072 RESOLVED Repository Issue Opened 2025-12-19 · Closed 2026-01-26 · 57% similar
TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action