The bug contains a preliminary incident report stating that the emSign CA served RFC 6960 OCSP responses with an "Unauthorized" result for three publicly logged precertificates where the final certificates were not issue…
SwissSign AG disclosed a compliance issue in its S/MIME CPR profile after auditors identified that chapter 3.3.1.7 described the commonName field incorrectly for S/MIME MV certificates. SwissSign said the published CPR t…
2026/06/18 -- 'Dustin Hollenback' via CCADB Public
This case concerns Netlock’s disclosure of a standards-compliance issue affecting Authority Information Access (AIA) CA Issuers HTTP endpoints. Netlock reported that several AIA URLs returned issuer certificates in PEM e…
This case concerns Netlock’s disclosure of a CRL compliance issue affecting revoked certificate entries in a published CRL. Netlock stated that a third party reported that the CRL at http://crl3.netlock.hu/index.cgi?crl=…
The bug describes an incident where, on 2026-06-17, a configuration error in the CRL publication process during a key rollover operation caused a CRL from a different subordinate CA environment to be copied to the produc…
Certum (Asseco Data Systems S.A.) reported an incident discovered internally on 2026-06-01 while reviewing CRL Watch entries. The analysis determined that the CRL Watch discrepancy was caused by differences in the encodi…
This case reports that eMudhra’s ACME issuance workflow automatically included the corresponding www subdomain in the issued certificate SAN when the certificate request was submitted for only the base domain. eMudhra st…
IdenTrust reported an internal review finding a compliance issue in its TrustID TLS CP/CPS related to issuance of TLS end-entity certificates. The issue was that TLS certificates were issued with additional IdenTrust cer…
Sectigo reported an OCSP incident after noticing spikes in its OCSP replication system on June 15, 2026. During investigation, Sectigo identified that its OCSP signing application (CertStatus) k8s pod was restarting ever…
This case is about Let's Encrypt’s Gen Y cross-certified subordinate CA certificates and their compliance with CCADB Policy and the Let’s Encrypt CP/CPS. The issue was first disclosed by Let's Encrypt as a preliminary in…
This case is a self-reported incident by Let’s Encrypt regarding CRL publication. Let’s Encrypt monitoring (crl-monitor) detected that a database replication issue caused recently added revocation entries to be temporari…
The bug reports an OCSP status-checking problem for a precertificate involving Krajowa Izba Rozliczeniowa S.A. (KIR). The CA states that it received a problem report via a Certificate Problem Report (CPR) indicating that…
The bug thread contains a preliminary incident report stating that the OCSP responder only recognises certificates issued by Certigna’s CAs. It further states that pre-certificates issued without a final leaf certificate…
CFCA reported a compliance incident involving its OCSP infrastructure after a security researcher emailed the company about multiple non-conformance issues. The reported problems included OCSP responder certificate profi…
Certigna disclosed an incident involving a delay in reporting an audit finding. The incident ticket related to a finding identified during the 2026 ETSI audit was not created within the deadlines in the CCADB Incident Re…
CFCA reported a CRL encoding incident affecting four CRLs: the RSA signatureAlgorithm field was missing the required NULL parameter, and one DVOCA CRL also had an empty revokedCertificates field when no certificates were…
Ballot CSC-32: Make a Reserved Policy OID mandatory in the CertificatePolicies extension for Subscriber certificates (#57) * Ballot CSC-32: Make a Reserved Policy OID mandatory in the CertificatePolicies extension for Su…
SC-098: Process RFC 8657 CAA Parameters (#567) Update 3.2.2.8 to require that CAs process CAA accounturi and validationmethod parameters defined in RFC 8657 Fixes https://github.com/cabforum/servercert/issues/353 -------…
Telia Company requested the inclusion of its v3 generation dedicated TLS and S/MIME Root CAs in multiple root stores. The request lists specific TLS Root CAs (Telia EC TLS Root CA v3 and Telia RSA TLS Root CA v3) and spe…
This case is a request to include the “SECOM SMIME RSA Root CA 2024” root certificate in Mozilla’s root store. SECOM Trust Systems CO., LTD. provided the certificate details and links to the certificate file and CCADB ca…
SECOM Trust Systems CO., LTD. requested inclusion of two new roots in Mozilla’s root program: SECOM TLS RSA Root CA 2024 and SECOM TLS ECC Root CA 2024. The request included certificate details and links to the correspon…
This case is a Mozilla CA Program request to add Cybertrust Japan SecureSign Root CA16 as an S/MIME root certificate. Cybertrust Japan submitted the request and provided a key generation report, later uploading period-of…
2026/06/15 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/06/11 -- 'Chrome Root Program' via CCADB Public
2026/06/05 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/06/05 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/06/05 -- 'Ben Wilson' via CCADB Public
2026/06/05 -- 'Ben Wilson' via CCADB Public
Let’s Encrypt is committed to a post-quantum-safe Web PKI. The path we’re planning to take is Merkle Tree Certificates (“MTCs”), a new approach that adds post-quantum authentication to the web wit…
2026/06/01 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/29 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- 'Martijn Katerbarg' via dev-security-policy@mozilla.org
2026/05/21 -- 'Q Misell' via dev-security-policy@mozilla.org
2026/05/21 -- Hanno Böck
Ballot SC-099: Improve Recording of Validation Methods (#656) The current BRs contain the following text in Sections 3.2.2.4 and 3.2.2.5: > CAs SHALL maintain a record of which [domain/IP] validation method, including…
2026/05/15 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/14 -- Anupama M
2026/05/14 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/13 -- 大野文彰(ONO Fumiaki)
2026/05/13 -- 'Roman Fischer' via dev-security-policy@mozilla.org
2026/05/12 -- 'Ben Wilson' via dev-security-policy@mozilla.org
2026/05/12 -- 'Trevoli Ponds-White' via dev-security-policy@mozilla.org
Ballot SMC016: Equivalence with Ballots SC096 and SC097 (#300)
Update effective date based on IPR Review closure (#664)
2026/04/30 -- CCADB Support
2026/04/15 -- 'Ben Wilson' via CCADB Public
2026/04/14 -- 'Ben Wilson' via CCADB Public
2026/04/13 -- 'Ben Wilson' via CCADB Public
2026/04/13 -- Wayne
2026/04/13 -- Wayne
2026/04/13 -- 'Rob Stradling' via CCADB Public
2026/04/13 -- 'Ben Wilson' via CCADB Public
Have you ever needed to make sure your website has a broken certificate? While many tools exist to help run an HTTPS server with valid certificates, there aren’t tools to make sure your certificate is revoked or ex…
2026/04/08 -- CCADB Support
2026/04/03 -- CCADB Support
Cleanup 2025 (#628) BR 2.2.6, approved by ballot SC095v3
SMC015v2 - mDL Authentication of Individual Identity (#290) * Version * Revision table * References * Attribute collection * Validation of mDL * Numbering fix * Reference update * eIDAS reference * Update eIDAS link * Up…
2026/03/27 -- 'Wayne Thayer' via CCADB Public
2026/03/27 -- 'Chris Clements' via CCADB Public
2026/03/26 -- 'Wayne Thayer' via CCADB Public
2026/03/26 -- CCADB Support Questions
2026/03/25 -- 'Rebecca Kelley' via CCADB Public
2026/03/20 -- 'Chris Clements' via CCADB Public
Nick Silverman is a Senior Infrastructure Engineer on the Edge Infrastructure team at Shopify, where he maintains the systems that provision, renew, and publish SSL certificates for millions of merchants’ custom do…
This was also posted on EFF’s blog. As we announced earlier this year, Let’s Encrypt now issues IP address and six-day certificates to the general public. The Certbot team at the Electronic Frontier Foundatio…
Ballot SC-097 (V1): "Sunset all remaining use of SHA-1 signatures in Certificates and CRLs" (#645) **Purpose of Ballot SC-097:** This ballot proposes updates to the Baseline Requirements for the Issuance and Ma…
As previously announced, over the next two years we will be switching the default certificate lifetime from 90 days to 64 days, and then 45 days. This will ultimately double the number of certificate renewal requests eac…
When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to …
Ballot SC-96: Carve-out for DNSSEC verification logging requirements (#641) BRs 2.2.4
SC94: Add partial exception for DNSSEC checks for email DCV methods (#637) BRs version 2.2.3
Update build-guidelines-action to version 2.2.1 (#299) * Update build-guidelines-action to version 2.2.1 * Update action to use Docker image for build guidelines
In a recent conversation with a Let’s Encrypt subscriber, we asked them to guess how many people work at ISRG, the nonprofit behind Let’s Encrypt (and Prossimo and Divvi Up). Their guess was about 100; they&r…
Update: March 11, 2026 If you use Certbot, see Six-Day and IP Address Certificates Available in Certbot for details on requesting these certificates. Short-lived and IP address certificates are now generally available fr…
SC-090: "Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5" (#616) BRs v2.2.2 **Notes:** - As of 09 September 2025, this proposal is *…
This letter was originally published in our 2025 Annual Report. This year was the 10th anniversary of Let’s Encrypt. We’ve come a long way! Today we’re serving more than 700 million websites, issuing te…
Ballot SC-91: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses (#626) BRs v 2.2.1 ## Ballot SC-91: “Sunset 3.2.2.5.3 Reverse Addres…
SC-86: Sunset the Inclusion of Domain Names with an IP Reverse Zone Suffix (#573) BRs 2.2.0
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of co…
Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. This change is being made along with the r…
In a ceremony held in September, Let’s Encrypt generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. Now we’re moving to begin…
CSC-31: Maximum Validity Reduction (#48) (#51) * CSC-31: Maximum Validity Reduction (#48) * Update CSBR.md for proposed validity period change Updating to mostly match ian's original verbiage. However, given that we …
SC088v3: DNS TXT Record with Persistent Value DCV Method
SC092: Sunset use of Precertificate Signing CAs (#630) * Sunset precert signing cas (#629) * Update version and revision table * Fix formatting * fix formatting * Change order of effective dates in table 1.2.2. * One mor…
v1.0.12 - Ballot SMC014 (#285) The Intellectual Property Review (IPR) period for Ballot SMC014 (DNSSEC for CAA) has completed. No IPR Exclusion Notices were filed, and the ballot is adopted as of October 13, 2025.
Seth Schoen was an early contributor to Let's Encrypt through his work at the Electronic Frontier Foundation. He's also one of the longest standing participants in the Let's Encrypt community support forum, so we asked h…
Let’s Encrypt has been proud to work with the IETF to maintain ACME as an open standard since we first developed the technology a decade ago. We’re happy to announce that IETF has published our latest additio…
NGINX and Let's Encrypt share a common vision of an open and secure web. Now, with built-in support for ACME, the world's most popular web server, reverse proxy and ingress controller for Kubernetes can simplify certific…
Fix formatting in table 1.2.1 (#613)
SC-089: Mass Revocation Planning (#611) * SC-089: Mass Revocation Planning (#610) * Initial draft of 5.7.1.2 Here is an initial draft of a proposal to add section 5.7.1.2 to the TLS Baseline Requirements. See Issue #602 …
v1.0.11 - Ballot SMC013 (#284) This text introduces specifications for the use of two post-quantum cryptography (PQC) algorithms, as standardized by the U.S. National Institute of Standards and Technology (NIST), in the …
SC085: Require Validation of DNSSEC (when present) for CAA and DCV Lookups (#606) * Update version number, recent changes and relevant dates * fix version
v1.0.10 - Ballot SMC012 (#282) This text introduces a new method for validation of mailbox control, using ACME for S/MIME as defined in RFC 8823: Extensions to Automatic Certificate Management Environment for End-User S/…
At Mozilla, we consider security to be a paramount aspect of the web. This is why not only does Firefox have a long running bug bounty program but also mature … Read more The post Firefox Security Response to pwn2o…
v1.0.9 - Ballot SMC011 (#272) * Date * Add EUID Definition * 7.1.4.2.2 (d) add note 4 * Appendix A.1 update * Minor * Revision table * Minor update to Definition * Reconfigure Note 4 * Minor format Note 4 * Minor format …
Bump Ubuntu runner to latest (#279)
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to a new signing subkey shortly. The GPG fingerprint … Read more The post Updated GPG key for signing…
Mozilla remains committed to fostering a secure, agile, and transparent Web PKI ecosystem. The new Mozilla Root Store Policy (MRSP) v3.0, effective March 15, 2025, introduces critical updates to strengthen … Read m…
Ballot SMC010 - Introduction of Multi-Perspective Issuance Corroboration (#260) This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require …
Ballot SMC09 - Pre-Linting, WebTrust for NetSec, and Minor Updates (#257)
Update upload-artifact to v4 due to github deprecation (#262)
At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from … Read more The post Behind th…
Revert to commit 3a88910dd9ac43e3278514e8359778bfec4ad723 (#256)
Merge branch 'MPIC_discussion' into main
Update to 4.2.2.2 for effective dates
Ballot SMC08 - Deprecate Legacy Generation Profiles and Minor Updates (#253) The S/MIME Baseline Requirements include a set of Legacy profiles designed to ease the transition into an audited framework, with the expectati…
CSC-26 final adjustments (#40) * CSC-26 final adjustments * Fix links
CSC-26: Timestamping Private Key Protection (#34) * Timestamp Certificate, SubCA and Key restrictions * Add log and witness requirements for key destruction * Add effective dates * Typo correction * Align date format * U…
CSC-25: Import EV Guidelines to CS Baseline Requirements (#38) * First import of EV Guidelines version 1.8.0 * Added organizationIdentifier and extension. Added EVG definitions all the way up to the term "Registered…
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS. As a reminder, HTTP over TLS (HTTPS) fixes the security shortcoming of HTTP … Read more The post Firefox will upgr…
At Mozilla, we believe in an open web that is safe to use. To that end, we improve and maintain the security of people using Firefox around the world. This … Read more The post Rapidly Leveling up Firefox Security …
CSC-22: High risk changes (#31) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * High risk ballot draft language * Restore and tweak reference to…
CSC-21: Improved signing services requirements (#12) * Fix typos * Prepare final copy assuming IPR review is clean * Import of Word doc changes to Git * Clarify that SSs are not DTPs in 8.1 * Update may to MAY * Integrat…
Bump actions/upload-artifact from 3 to 4 (#32) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](h…
CSC-20 (#30) * Restore EV guidelines version reference * Capitalize "MUST NOT" (#19) * Assign ballot number, fix ballot name * Add effective date
To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this … Read more The post Mozill…
Online security is constantly evolving, and thus we are excited to announce the publication of MRSP version 2.9, demonstrating that we are committed to keep up with the advancement of … Read more The post Version 2…
Bump tooling version, fix version table formatting (#28) * Bump tooling version * Fix table
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to new key shortly. The new GPG fingerprint is … Read more The post Updated GPG key for signing Firef…
In accordance with the Mozilla Manifesto, which emphasizes the open development of policy that protects users’ privacy and security, we have worked with the Mozilla community over the past several … Read more The p…
No items for this source.