1017136 - IGC/A: no subject alternative name

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Kurt Roeckx]

I'm seeing certificates without the subject alternative name extension from the following path:
E = igca@sgdn.pm.gouv.fr, CN = IGC/A, OU = DCSSI, O = PM/SGDN, L = Paris, ST = France, C = FR
CN = AC Education Nationale, OU = 110 043 015, O = Ministere Education Nationale (MENESR), C = FR, E = igc@orion.education.fr
CN = AC Enseignement Scolaire, OU = 110 043 015, O = Ministere Education Nationale (MENESR), C = FR, E = igc@orion.education.fr
CN = AC Infrastructures, OU = 110 043 015, O = Ministere education nationale (MENESR), C = FR

Comment 1

[Kathleen Wilson]

Loïc, Please investigate this bug, and respond in the bug. As per sections 9.2.1 and 9.2.2 of the Baseline Requirements, for SSL certs the domain name or IP address must be in the certificate's subjectAltName extension.
https://cabforum.org/baseline-requirements-documents/

Comment 2

[Gervase Markham [:gerv]]

Loic: have you or your team been investigating this issue?

Gerv

Comment 3

[Kathleen Wilson]

(In reply to Kathleen Wilson from comment #1)
> Loïc, Please investigate this bug, and respond in the bug. As per sections
> 9.2.1 and 9.2.2 of the Baseline Requirements, for SSL certs the domain name
> or IP address must be in the certificate's subjectAltName extension.
> https://cabforum.org/baseline-requirements-documents/

In Bug #1245280 we disabled CN fallback for all certificates with a notBefore date later than 23 August 2016. This shipped in Firefox 48, which is the current release. As a result, all newly-issued certificates that do not have a subject alternative name extension with the appropriate DNS name entries will not validate successfully in Firefox.

Comment 4

[Kathleen Wilson]

PM/SGDN root removed via Bug #1272156.