← HARICA cases
Bugzilla #2055551 Certificate Misissuance

HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID after CP/CPS cutoff

UNCONFIRMED HARICA
This summary was auto-generated by AI and revised by me when needed — accuracy improves with each update. Always refer to the official Bugzilla thread as the authoritative source. If you spot an inaccuracy, let me know via the contact form.
AI Summary

The bug is a preliminary incident report from HARICA’s public-incident-reports address describing a CP/CPS update failure related to Chrome Root Store Policy changes. HARICA states that Chrome’s Root Store Policy v1.6 required removal of the `id-kp-clientAuth` KeyPurposeID from the `extKeyUsage` extension effective 2026-06-15, and that HARICA updated its CP/CPS v4.9 on 2025-03-14 to incorporate that deadline. HARICA then states that Chrome extended the deprecation date to 2027-03-15 in policy v1.8, but HARICA did not update its CP/CPS to reflect the extension, so it continued to allow `id-kp-clientAuth` in TLS certificates after HARICA’s internal 2026-06-15 CP/CPS cutoff. HARICA reports that all TLS certificates issued after 2026-06-15 00:00:01 (UTC) are affected and will be replaced and revoked within 5 days. The affected certificate profiles were updated to remove the `id-kp-clientAuth` EKU temporarily until an updated CP/CPS was released, and HARICA says a full incident report will be posted no later than 2026-07-30.

Model: gpt-5.4-nano Generated: 2026-07-16 19:49 UTC Confidence: 0.60 1 comment
Chronology
  1. HARICA updated its CP/CPS v4.9 to incorporate the 2026-06-15 removal deadline for id-kp-clientAuth KeyPurposeID in extKeyUsage.
  2. HARICA’s internal CP/CPS cutoff for allowing id-kp-clientAuth KeyPurposeID in TLS certificates took effect.
  3. HARICA states that TLS certificates issued after 2026-06-15 00:00:01 (UTC) are affected.
  4. HARICA posted a preliminary incident report describing affected certificates and planned replacement/revocation within 5 days.
Thread Activity
  1. HARICA — Posted a preliminary incident report stating HARICA continued to allow id-kp-clientAuth in TLS certificates after its 2026-06-15 CP/CPS cutoff, and that affected certificates will be replaced and revoked within 5 days while profiles were updated to remove the EKU temporarily.
Participants
HARICA Mozilla representative
External References
Similar Local Cases
#1459557 RESOLVED Self Reported Incident Certificate Misissuance Opened 2018-05-07 · Closed 2023-02-22 · 61% similar
SwissSign: Certificate issue with Signature
#1654216 RESOLVED Certificate Misissuance Opened 2020-07-21 · Closed 2023-02-22 · 61% similar
Buypass: PSD2 QWAC with RSA modulus not divisible by 8
#2044023 RESOLVED Certificate Misissuance Self Reported Incident Remediation Tracking Opened By Ca Opened 2026-06-01 · Closed 2026-07-02 · 60% similar
Asseco DS / Certum: Cross-Certificates subject encoding discrepancy
#1353838 RESOLVED Certificate Misissuance Opened 2017-04-05 · Closed 2023-02-22 · 60% similar
Trustis: SHA-1 serverAuth cert issued in November 2016
#1670894 RESOLVED Certificate Misissuance Opened 2020-10-13 · Closed 2023-02-22 · 60% similar
SwissSign: Invalid stateOrProvinceName field
#1691704 RESOLVED Ca Certificate Compliance Certificate Misissuance Opened 2021-02-09 · Closed 2023-02-22 · 60% similar
SwissSign: Certificate with key length 4098 bit
#1267049 RESOLVED Certificate Misissuance Opened 2016-04-24 · Closed 2023-02-22 · 60% similar
Izenpe: EV certificate with various issues
#1449371 RESOLVED Ca Certificate Compliance Certificate Misissuance Opened 2018-03-27 · Closed 2023-02-22 · 60% similar
E-Tugra: Validity period > 825 days

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action