Closed Bug 1321354 Opened 9 years ago Closed 9 years ago

DocuSign France - Internal names certificates under a technically-constrained subordinate CA

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: erwann.abalea, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: BR Compliance)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Steps to reproduce: In June 2016, after an audit of a subordinate CA using a technically-constrained certificate, we noticed a number of CP non-compliance, and requested the CA to solve these CP non-compliance and to revoke 20 internal name certificates at most on 1 October 2016 as required by CABF BR section 7.1.4.2.1. This was acknowledged and accepted by the CA. Coming back on this CA in November 2016, we discovered that the offending certificates haven't been revoked (first BR non-compliance), 18 of them expired recently (1 to 2 weeks before), 2 of them are still valid (until January 2017), and a new one was generated 2 weeks before (second BR non-compliance). We asked again the CA to revoke the 2 old certificates and the new one, and to perform some technical changes to follow their CP. The CA certificate is technically-constrained as defined by Mozilla and CABF BR, the offending certificates are used on internal servers only and don't match the name constraints, so the impact on Mozilla users should be negligible.
Blocks: BR-Compliance
Whiteboard: BR Compliance
2 of the 3 bad certificates have been revoked on 01 December 2016, the 3rd one has been revoked on 30 November 2016. The required technical changes have been made (the EKU extension was missing in a certificate template). 2 new certificates were generated, for replacement of 2 of the revoked certificates. In total, 5 certificates have been pushed to Google CTlogs (pilot and rocketeer, aviator is currently frozen), and I'm waiting for their acceptance by crt.sh to provide links.
The old TLS server certificates with internal names are here: https://crt.sh/?id=59089680 and https://crt.sh/?id=59089603. The newly created certificate with the missing EKU is at https://crt.sh/?id=59089399. All 3 have been revoked as shown by crt.sh. The 2 newly created certificates (good) are here: https://crt.sh/?id=59089716 and https://crt.sh/?id=59089649.
Thanks, Erwann! I believe this bug has been resolved.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.