Closed Bug 1405817 Opened 2 years ago Closed 2 years ago

Actalis: Certs issued with same issuer and serial number

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: adriano.santoni, NeedInfo)

References

Details

(Whiteboard: [ca-compliance])

As reported here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/SM3cUnENmUw/ZeNCpR2eBgAJ

This CA has issued intermediate certificates with the same issuer and serial number. This is a clear violation of the serial number uniqueness requirement of the BRs and RFC5280 4.1.2.2. 

   Issuer: https://crt.sh/?caid=935
   Issuer O: Actalis S.p.A./03358520967
  Issuer CN: Actalis Authentication Root CA
Subject CN: UniCredit Subordinate External
   Serial #: 3e:5d:be:44:e7:51:5a:5a
      Certs: https://crt.sh/?id=47081615
             https://crt.sh/?id=147626411
   Revoked?: No 

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Please also add records for these certs to the CCADB, and explain why they were not previously disclosed in the CCADB.
(In reply to Kathleen Wilson from comment #1)
> Please also add records for these certs to the CCADB, and explain why they
> were not previously disclosed in the CCADB.

Can ignore Comment #1, as it turns out these certs are technically constrained:
https://groups.google.com/d/msg/mozilla.dev.security.policy/SM3cUnENmUw/uS_D8T99AAAJ



Initial incident report provided here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/SM3cUnENmUw/H8ViHhF2BwAJ
...

Immediate action:

- revocation of the affected SubCA certificate is scheduled for Oct 4th,
EOB.

Remedial actions to avoid re-occurrance of the same problem in the future:

- update to our SubCA post-processing software so that it cannot be
executed more than once on the same certificate;
- update of the reference manual of SubCA post-processing software and
the CA certificates generation procedure, with clarifications on how
similar situations must be handled;
- at the earliest opportunity, upgrade of our Root CA software so that
post-processing of SubCA certificates is no longer required;
- awareness meeting with the CA staff to clarify what happened, what
caused the issue, and how the staff must behave in such circumstances.
Update on remedial actions:
- revocation of the affected SubCA certificate was done on Oct 4th as scheduled;
- our SubCA post-processing software was updated (fixed) on the same day, Oct 4th; (§)
- awareness meeting with the CA staff and our internal auditor was held on Oct 5th;
- update of the reference manual of SubCA post-processing software is under way;
- study of the paths for upgrading of our Root CA software is under way.

(§) We also took into account that, since the time when we issued the SubCA certificate for Unicredit (Oct 17, 2016) the requirements on TCSCAs have changed in the Mozilla Root CA policy, so to also require constraints of type directoryName.
Adriano Santoni: do you have any update on this situation?

Gerv
Flags: needinfo?(adriano.santoni)
Yes. We have just finished with defining our procedure for upgrading our RootCA software, in our test environment, and have scheduled the upgrade in production by end of year.
According to schedule, near the end of 2017 we deployed an upgraded Root CA software to our production PKI environment. It was duly tested and found to work properly, according to specs, including full support for Name Constraints. Our legacy SubCA post-processing software tool was therefore decommissioned and will not be used anymore.
Adriano, thank you for the update. I have confirmed that both certificates are revoked and it appears that all action items have been completed, so I am closing this issue.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.