Closed Bug 1048045 Opened 10 years ago Closed 10 years ago

GlobalSign Partner: No SAN

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: him, Assigned: steve.roylance)

References

Details

Attachments

(1 file)

2.27 KB, application/x-x509-ca-cert
Details
Attached file san_cert.crt
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2106.0 Safari/537.36

Steps to reproduce:

Looked for the SAN extension in the attached certificate.


Actual results:

Certificate does not contain a SAN extension.


Expected results:

As per 9.2.1 of CA/B Baseline Requirements, all end entity certificates must have the SAN extension.
Assignee: kwilson → steve.roylance
Blocks: 825954
GlobalSign has been running a Partner Program since January 1999.  The program has changed over time to meet the demands of the changing environment for external CA operation.  Occasionally some of those changes overlap and best practice moves to the next program where improvements are made.   Whilst auditing helps to find and correct issues it does not always catch all issues in time.  This is one of those examples.  The "Virginia Tech Global Server CA" is now in revocation mode only. i.e. only issuing CRLs and has been replaced by a new Name Constrained CA - "Virginia Tech Global Qualified Server CA".  This cross over took place in 2013 (March through to September to be exact).  You can see the new CA in operation here https://www.vt.edu/ which has SANs and Name Constraints and is based on the new Program from GlobalSign 'Trusted Root' rather than the older program 'RootSign Partners'.   GlobalSign will re-verify with the customer when the last Certificate was issued from the older system but looking at an audit report from Q1 this year it seems to be September 2013 with an expiry of Feb 2016.  Although an infringement of the Baseline Requirements was made with the old program it was not deemed 'critical' therefore older certificates without SANs were not replaced ahead of their normal expiry.  There are currently 428 certificates still alive and 115 of those have SANs included (i.e. Where multiple DNS names were needed).  That figure is now 100% for the new CA (From March 2013 onwards), therefore I hope this blocking bug can be closed down as the necessary corrective actions have been made and moving forward the CA is compliant.
My apologies, the expiry of the last certificate is September 2015, not Feb 2016 as stated above.  This is in line with previous communications with Mozilla staff on expiry of CRL only issuing CAs

Subject: CN=VetWebAP.vetmed.vt.edu,OU=vetmed,O=Virginia Polytechnic Institute and State University,L=Blacksburg,ST=Virginia,DC=vt,DC=edu,C=US
Issuer: CN=Virginia Tech Global Server CA,OU=Global Server CA,O=Virginia Tech,C=US
Fingerprint (SHA-1): D9:78:4C:A4:BB:40:06:97:75:36:96:41:22:87:F5:4C:2F:5D:C7:41
Serial: 6C:58:1C:B3:9F:F0:32:85
Valid Until: 13-SEP-2015 13:30:41 GMT
No longer blocks: 825954
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: