In July TI Trust Technologies Global CA issued a certificate with no subject alternative name extension: https://crt.sh/?id=26361345&opt=cablint It doesn't look like an ongoing problem, but we should reach out and make sure they have a process in place for preventing this and similar problems in the future.
Ben and Jeremy, looks like TI Trust Technologies Global CA is one of DigiCert's CA Hierarchies. Would you please check with them to make sure they are no longer issuing SSL certs without SAN?
We checked with Telecom Italia Trust Technologies regarding this no-SAN certificate and regarding earlier issued SHA1 certificates. They responded that these were logged and remediated as bugs in their systems, and should not re-occur. ("Regarding the “no-SAN” certificate issued in July, this happened because of a bug (already fixed) in the in the check on the presence of the attribute SAN in the csr of our provisioning system.")
Ben: Can you provide an update on this bug on the status of TI Trust Technologies? My understanding is that they have been migrated to a managed infrastructure, but I think an update here would be good before we close this bug out.
Hey Ryan - they are in process of migration. We're still working with them to figure out what date we can add their old CA to OneCRL and when we can revoke it. We didn't want to close this one until we got them to commit to a set date.
Thanks. Without wanting to spread the discussion out around several bugs, can you provide an update about the timelines here towards making a decision? In wanting to apply a consistent standard, and a consistent expectation of communication, I think it's reasonable to have an expectation of a concrete date to be set soon.
Yes. We currently proposed Oct 31, 2017 as the OneCRL date and Dec 29, 2017 as the revocation date. TI Trust Systems is looking at the impact of those dates and should reply to us shortly. They just barely started migrating to the DigiCert-hosted issuing CA. I'll update the bug when the respond
Update: We're currently performing the domain validation on all domains used by TI Trust Systems. Once this is complete, they will begin migration to a hosted solution.
Can you confirm the migration is still scheduled in ~2 weeks (Oct 31)? It didn't look like there was an update to Comment #6
They are currently migrating. They have migrated 800+ certs so far. I doubt we'll finish the migration by Oct 31. We ran into some language complications while trying to complete the domain validation process. I suspect they will finish closer to the end of Nov. The last few always take the longest to transfer over.