Closed Bug 1017157 Opened 6 years ago Closed 3 years ago

DigiCert: no subject alternative name in Siemens certs

Categories

(NSS :: CA Certificate Compliance, task)

x86_64
Linux
task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kurt, Assigned: kwilson)

References

Details

(Whiteboard: [ca-compliance])

I'm seeing recent certificates without the subject alternative name extension from the following path:
CN = Baltimore CyberTrust Root, OU = CyberTrust, O = Baltimore, C = IE
CN = Siemens Internet CA V1.0, OU = Copyright (C) Siemens AG 2011 All Rights Reserved, serialNumber = ZZZZZZV0, O = Siemens, C = DE
CN = Siemens Issuing CA Class Internet Server 2013, OU = Copyright (C) Siemens AG 2013 All Rights Reserved, serialNumber = ZZZZZZY9, O = Siemens, C = DE
Summary: no subject alternative name → Siemens: no subject alternative name
Steven, here's another no-SAN bug.
Assignee: kwilson → steve.medin
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance
We are reiterating proper certificate content requirements to our OmniRoot subordinate customer and requesting an action plan to resolve this issue.
...and any news from Siemens? :-)

Gerv
Assignee: steve.medin → kwilson
This should be fixed.
(In reply to Jeremy from comment #4)
> This should be fixed.

Please explain what you mean. i.e. bad certs revoked? Process fixed so such certs will no longer be issued?
Summary: Siemens: no subject alternative name → DigiCert: no subject alternative name in Siemens certs
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]
Siemens is no longer issuing certificates at all from the Baltimore root. It's fixed because the root is only active to support existing digital certificates. Once those expire, we plan to revoke the intermediate. Would you like all the certs missing SANs revoked? As of today, we haven't requested that Siemens revoke any/all valid certs with this existing problem, but we certainly can.

Sorry it took so long to reply to this - I didn't realize it was still an open issue.
For new certificates issued since last year, the issuing CA (Siemens Issuing CA Internet Server 2016) chains up to the QuoVadis Root CA 2 G3 through an intermediate CA - QuoVadis Enterprise Trust CA 2 G3.
(In reply to Jeremy from comment #6)
> Would you like all the certs missing SANs revoked? 

I don't think that's necessary.

Closing this bug as fixed.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.