Certinomis: invalid DNS names in SAN
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: agwa-bugs, Assigned: marc.maitre)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Certinomis has issued the following TLS Server Authentication precertificates with invalid DNS names in the SANs:
https://crt.sh/?sha256=0281B848BC319A861F9D1F8EE49D83109F162343AD83257CAA7E62B675A022E4
https://crt.sh/?sha256=053AE960B34A655F119737BD34FBFCBB8F8BBEE7B1E76437FC5042CA266DEC85
https://crt.sh/?sha256=33E05C6371A443E9FF327EE6AECE3DC5B90BB8A1D9E60169142A8B82B1C46A79
https://crt.sh/?sha256=69BCEAE34FF817DA1A08947198B6AC12C6381F56FB0F5EC9EE09BECE6A4E96B5
https://crt.sh/?sha256=7554157AFF509AE3D85DCA547A463422E4AA610CB1F247F55D32A1C466CCAFEF
https://crt.sh/?sha256=EA12655FC8B5C9C00849A31A2FEB8F8ECDFCFC661E97210695BD20C3A70CD5BE
https://crt.sh/?sha256=F1213118772CF03CBD24400C7599F490AB30F4219A441D1E290F3BF7D231E389
All certificates are currently revoked.
Comment 1•5 years ago
|
||
Marc: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident
Assignee | ||
Comment 2•5 years ago
|
||
Hello,
1/ How your CA first became aware of the problem.
- When looking at test certificates after testing our VENAFI connector project
- I've been notified by this bug opened by Andrew Ayer and affected to me by Ryan Sleevi.
2/ A timeline of the actions your CA took in response.
2019-01-18 14:32:21 UTC CREATION OF Thomas RISON Test
2019-01-18 14:32:22 UTC REVOCATION OF Thomas RISON Test
2019-01-18 14:37:09 UTC CREATION OF Thomas RISON Test
2019-01-18 14:37:10 UTC REVOCATION OF Thomas RISON Test
2019-01-24 10:09:01 UTC CREATION OF Thomas RISON Test2
2019-01-24 10:09:03 UTC REVOCATION OF Thomas RISON Test2
2019-01-24 13:51:27 UTC CREATION OF Axel BOUKHRIS
2019-01-24 13:51:29 UTC REVOCATION OF Axel BOUKHRIS
2019-01-25 09:13:03 UTC CREATION OF Thomas RISON
2019-01-25 09:13:04 UTC REVOCATION OF Thomas RISON
2019-01-25 09:19:34 UTC CREATION OF Thomas RISON 3
2019-01-25 09:19:36 UTC REVOCATION OF Thomas RISON 3
2019-01-25 14:07:00 UTC CREATION OF Thomas RISON 4
2019-01-25 13:07:10 UTC REVOCATION OF Thomas RISON 4
2019-01-30 15:12 PST bugzilla opened by Andrew Ayer
2019-01-31 06:55 PST bugzilla assigned by Ryan Sleevi
2019-01-31 14:55 UTC notification from Bugzilla Bugzilla-daemon received in marc.maitre@docapost.fr mailbox.
3/ Whether your CA has stopped, or has not yet stopped,
Yes
4/ A summary of the problematic certificates.
7 certificates issued from 2019-01-18 to 2019-01-25
« Axel BOUKHRIS » « Thomas RISON Test” “Thomas RISON 3” “Thomas RISON Test2” “Thomas RISON 4” “Thomas RISON” “Thomas RISON Test”
5/ The complete certificate data for the problematic certificates.
https://crt.sh/?id=1140520168
https://crt.sh/?id=1122237672
https://crt.sh/?id=1142762260
https://crt.sh/?id=1142749513
https://crt.sh/?id=1140030436
https://crt.sh/?id=1122244968
https://crt.sh/?id=1143286247
6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Certinomis is developing a connector for VENAFI software and it is only possible to test it by creating real certificates that are immediately revoked.
We tested three times 18/01, 24/01 and 25/01 and correcting some bugs in between.
The improper DNS name in San is one of the identified bug that has to be fixed, work is in progress
7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
The improper DNS name in San is one of the identified bug that has to be fixed, work is in progress
Best regards
Marc MAITRE
Comment 3•5 years ago
|
||
Certinomis is developing a connector for VENAFI software and it is only possible to test it by creating real certificates that are immediately revoked.
Please explain this in much more detail. Some questions I have include:
- Why are you doing development/testing in your production CA environment?
- Why is this not being done in a testing environment?
- What system/process was used to issue the certificates?
- Were any controls bypassed?
Please do not limit yourself to answering just these questions, the goal is to understand in detail what happened, why it happened, why the misissuance was possible, and how it will be prevented in the future.
We tested three times 18/01, 24/01 and 25/01 and correcting some bugs in between.
After the first misissuance incident on 2019-01-18 did you do an investigation? What were the findings? Why wasn't an incident report filed here?
Comment 4•5 years ago
|
||
NOTE: Given the reference to "test" certificates, this incident may be related to bug #1524112.
Comment 5•5 years ago
|
||
The Certinomis Root CA is being removed from the Mozilla root store in bug 1552374, so I am resolving this bug. Additional comments that may be useful when considering any future application by Certinomis are welcome.
Updated•1 year ago
|
Updated•1 year ago
|
Description
•