Closed Bug 1237444 Opened 10 years ago Closed 10 years ago

cloudflare sha1 certificates in 2016

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kurt, Assigned: kathleen.a.wilson)

Details

I've found 2 SHA1 based certificates so far using SHA1: The subjects are: OU=Domain Control Validated,OU=Legacy Multi-Domain SSL,CN=ssl383352.cloudflaressl.com OU=Domain Control Validated,OU=Legacy Multi-Domain SSL,CN=ssl393050.cloudflaressl.com The issuer is: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO Domain Validation Legacy Server CA 2
Do they happen to chain up to the Comodo root certs that were removed in NSS 3.21 / Firefox 44? https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport
It's possible that they chain to a root that's removed, I need to check that but don't have time now.
Yes, these certs were issued by an intermediate [1] that was issued by our "UTN - DATACorp SGC" root, which was removed in NSS 3.21 / Firefox 44. See also [2]. [1] https://crt.sh/?id=11814210 [2] https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ "CloudFlare has worked to ensure that we can continue to responsibly provide SHA-1 support for all our paid customers even after the new year."
Closing this bug, because as far as the NSS root store is concerned this bug is fixed by the removal of the "UTN - DATACorp SGC" root, per Bug #1208461.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.