ANF AC: Incident Report - OCSP "unknown" response for CT precertificate

ANF AC reported an operational incident involving a Certificate Transparency (CT) precertificate whose OCSP status was observed as "does not know this certificate". ANF AC stated that the precertificate had been submitted to CT, but during the SCT retrieval workflow the issuance process timed out; when the request was retried, a new certificate was issued with a different serial number, leaving the original precertificate published in CT without a corresponding OCSP record. ANF AC said it registered the affected precertificate in its OCSP responder on 2026-06-25, resolving the OCSP inconsistency, and that a review of historical issuance records found no additional orphaned precertificates. ANF AC also described that the incident was brought to its attention via a third-party notification referencing OCSPWatch, which was initially misclassified as spam and not seen by operations until a second contact was added to the thread. In response to the incident, ANF AC reported completing an action item to implement automated monitoring of OCSPWatch by polling the OCSPWatch API and alerting operations when issues affecting ANF AC are detected. The Google root program participant asked for details on ANF AC’s OCSPWatch polling and requested information about independent internal monitoring and controls beyond OCSPWatch.

1. 2025-09-25 ANF AC generated and submitted a CT precertificate, then the SCT retrieval workflow timed out and a retry issued a new certificate with a different serial number.
2. 2026-06-10 ANF AC received a third-party notification referencing OCSPWatch but it was incorrectly classified as spam.
3. 2026-06-24 ANF AC identified the incident after a second ANF AC contact was added to the notification thread.
4. 2026-06-25 ANF AC registered the affected precertificate in the OCSP responder, resolving the OCSP inconsistency.
5. 2026-06-26 ANF AC reported completing automated OCSPWatch monitoring integration and discussed remediation details in the thread.

1. 2026-06-25 yulier.nunez@anf.es — ANF AC provided a preliminary incident report describing the OCSP inconsistency for a CT precertificate and said it registered the precertificate in OCSP on 2026-06-25.
2. 2026-06-25 yulier.nunez@anf.es — ANF AC posted a full incident report with a timeline, root cause description (SCT retrieval timeout leading to a new serial on retry), and impact details (1 precertificate, 0 remaining valid certificates).
3. 2026-06-26 yulier.nunez@anf.es — ANF AC stated it completed an action item to implement automated OCSPWatch monitoring by polling the OCSPWatch API and alerting operations.
4. 2026-06-26 chrome-root-program@google.com — Google asked ANF AC to clarify OCSPWatch polling details and to describe independent internal monitoring/alerting and controls beyond OCSPWatch.
5. 2026-06-26 agwa-bugs@mm.beanwood.com — The commenter noted that the referenced OCSPWatch API endpoint is undocumented/internal and that OCSPWatch is not a substitute for the CA’s own monitoring.