IGC/A: no subject alternative name

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: Kurt Roeckx, Assigned: igca_anssi)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: BR Compliance)

(Reporter)

Description

4 years ago
I'm seeing certificates without the subject alternative name extension from the following path:
E = igca@sgdn.pm.gouv.fr, CN = IGC/A, OU = DCSSI, O = PM/SGDN, L = Paris, ST = France, C = FR
CN = AC Education Nationale, OU = 110 043 015, O = Ministere Education Nationale (MENESR), C = FR, E = igc@orion.education.fr
CN = AC Enseignement Scolaire, OU = 110 043 015, O = Ministere Education Nationale (MENESR), C = FR, E = igc@orion.education.fr
CN = AC Infrastructures, OU = 110 043 015, O = Ministere education nationale (MENESR), C = FR

Comment 1

4 years ago
Loïc, Please investigate this bug, and respond in the bug. As per sections 9.2.1 and 9.2.2 of the Baseline Requirements, for SSL certs the domain name or IP address must be in the certificate's subjectAltName extension.
https://cabforum.org/baseline-requirements-documents/

Updated

4 years ago
Assignee: kwilson → igca
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance

Updated

4 years ago
Blocks: 1029147
Loic: have you or your team been investigating this issue?

Gerv

Comment 3

2 years ago
(In reply to Kathleen Wilson from comment #1)
> Loïc, Please investigate this bug, and respond in the bug. As per sections
> 9.2.1 and 9.2.2 of the Baseline Requirements, for SSL certs the domain name
> or IP address must be in the certificate's subjectAltName extension.
> https://cabforum.org/baseline-requirements-documents/

In Bug #1245280 we disabled CN fallback for all certificates with a notBefore date later than 23 August 2016. This shipped in Firefox 48, which is the current release. As a result, all newly-issued certificates that do not have a subject alternative name extension with the appropriate DNS name entries will not validate successfully in Firefox.

Comment 4

2 years ago
PM/SGDN root removed via Bug #1272156.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.