← Actalis cases
Bugzilla #1534295
Certificate Misissuance
Actalis: Insufficient serial number entropy
RESOLVED
FIXED
Actalis
AI Summary
Actalis identified an issue with insufficient entropy in the serial numbers of approximately 350,000 certificates issued between September 30, 2016, and March 6, 2019. The problem stemmed from the EJBCA software's unexpected behavior. Following the discovery on March 3, 2019, Actalis implemented a fix on March 6, ensuring all subsequent certificates had adequate entropy. The revocation of affected certificates began shortly after, with significant progress reported, although challenges arose due to the complexity of customer organizations and their internal processes. By August 1, 2019, Actalis confirmed that all impacted certificates had been revoked or expired.
Chronology
- Actalis became aware of insufficient entropy in certificate serial numbers.
- Fix implemented to ensure certificates have adequate entropy.
- All impacted certificates confirmed revoked or expired.
Participants
Adriano Santoni
Ryan Sleevi
Giorgio Girelli
External References
Similar Local Cases
Actalis: Certs issued with same issuer and serial number
ACCV: Insufficient serial number entropy
DigiCert / Siemens: Insufficient Serial Number Entropy
Amazon Trust Services: No Space In Private Organization
DigiCert: Domain validation skipped
DigiCert: Incorrect case in Business Category
NetLock: Non-BR-Compliant Certificate Issuance
Entrust: Late mis-issue certificate revocation