1/ How your CA first became aware of the problem.
I've been aware by this bug opened by Andrew Ayer and affected to me by Ryan Sleevi.
2/ A timeline of the actions your CA took in response.
2018-11-20 14:01:11 UTC CREATION OF A TEST CERTIFICATE FOR “TEST2011.CERTINOMIS.COM”
2019-01-08 09:24:10 UTC CREATION OF TEST CERTIFICATE FOR “TESTSCT.CERTINOMIS.COM”
2019-01-30 15:59 PST bugzilla openned by Andrew Ayer
2019-01-31 06:53 PST bugzilla assigned by Ryan Sleevi
2019-01-31 06:54 PST bugzilla status change from UNCONFIRMED to ASSIGNED by Ryan Sleevi
2019-01-31 14:54 UTC notification from Bugzilla Bugzilla-daemon received in firstname.lastname@example.org mailbox.
2019-01-31 14:54 UTC notification from Bugzilla Ryan Sleevi received in email@example.com mailbox.
2019-02-01 10:39:31 UTC Revocation of “testSCT.certinomis.com”
2019-02-01 16:42:23 UTC Revocation of “test2011.certinomis.com”
3/ Whether your CA has stopped, or has not yet stopped,
4/ A summary of the problematic certificates.
« TEST2011.CERTINOMIS.COM »
5/ The complete certificate data for the problematic certificates.
6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
NOT A MISTAKE BUT A FEATURE
The access to our RA service is conditioned by the use of a personal digital certificate on smart card.
We have some delegated RA for big companies and to oblige their operator to issue only certificates for their company, the RA software has been coded so that it introduce in the SSL certificate request the identity (NAME and ID number) of the operator’s certificate.
When they need to perform a test, our employees has personal certificates issued for a fictive company name (“POUR TEST” which means “FOR TESTING”) BUT a real Company ID Number, that is derived of ours (433998903) so that (1) the developer cannot engage a real company with its certificate and (2) a link with Certinomis remain for any use if this certificate.
When requiring a test certificate “test2011.certinomis.com” the company information of the operator certificate are forced into the SSL certificate request
7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
From Certinomis point of view there is no security issue :(1) nobody would have given any trust to these certificate clearly identified as TEST certificates and (2) these certificates has of course not been used for production services exposed publicly
If necessary we can forbid the developer to test and ask for an executive to test with a real personal certificate, but this way of doing does not seem appropriated in such a situation.