Certinomis: invalid CDP extension
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: jonathan, Assigned: marc.maitre)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Certinomis issued these certificates with an invalid cRLDistributionPoints extension. Note that these are two separate errors, one is HTTPS (should be HTTP, the certificates in bug 1524448 also have this issue) and the other is not a URL.
https://crt.sh/?opt=zlint&id=620065265
https://crt.sh/?opt=zlint&id=593608117
|
||
Comment 1•6 years ago
|
||
Marc: Please provide an incident report, as per https://wiki.mozilla.org/CA/Responding_To_An_Incident
|
||
Comment 2•6 years ago
|
||
Here is an incident report align the mozilla template :
1/ How your CA first became aware of the problem.
After an error noticed on a personal certificate
2/ A timeline of the actions your CA took in response.
2018-07-02 : beginning of production with new PKI software
2018-07-06 : correction of the certificate template
3/ Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
Yes the error has been corrected and certifucates issued by this CA are now carryning the right URL
4/ A summary of the problematic certificates.
one certificate "preprod.communaute.chorus-pro.gouv.fr"
5/ The complete certificate data for the problematic certificates.
https://crt.sh/?opt=zlint&id=593608117
6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We had an important migration of PKI software at the beginning of July and as there are several CA and many certificate profile to parameter, it happenned that an error occured on this point.
7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
There is from beginning of this year a new entity focused on cybersceurity that is going to play a role of internal auditor.
One of their mission will be to routinely test with a certificate linter all our production and to ask for correction when necessary.
I expect this new organisation to be fully opertaionnal at the end of firts quarter.
Previously the same man was responsible for organising the production and reporting the events.
That may explain why there are few reports until now, and specially why this incident had not been reported.
And this is the reason why there is now this role of internal audit.
François CHASSERY
CEO
Certinomis
|
|
||
Comment 3•6 years ago
|
||
Here is an incident report align the mozilla template :
1/ How your CA first became aware of the problem.
With Bugzilla notification
2/ A timeline of the actions your CA took in response.
2018-07-02 : beginning of production with new PKI software
2019-01-31 : nugzilla notification
2019-02-08 : certificate template correction
3/ Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
Yes the error has been corrected and certificates that will be issued by this CA will carry an http URL
4/ A summary of the problematic certificates.
one certificate "ctlog004.test.certinomis.com"
5/ The complete certificate data for the problematic certificates.
https://crt.sh/?opt=zlint&id=620065265
6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We had an important migration of PKI software at the beginning of July and as there are several CA and many certificate profile to parameter, it happenned that an error occured on this point.
7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
There is from beginning of this year a new entity focused on cybersceurity that is going to play a role of internal auditor.
One of their mission will be to routinely test with a certificate linter all our production and to ask for correction when necessary.
I expect this new organisation to be fully opertaionnal at the end of firts quarter.
Previously the same man was responsible for organising the production and reporting the events.
That may explain why there are few reports until now, and specially why this incident had not been reported.
And this is the reason why there is now this role of internal audit.
|
|
||
Comment 4•6 years ago
|
||
Francois: thank you for the incident reports. I do have some questions:
- Please provide a more detailed explanation and timeline for the migration that triggered these misissuances. What about the migration allowed this to occur? What can other CAs who are migrating to new CA software learn from this incident?
- I understand that a new compliance role has been established, but that in itself does not adequately describe the steps that will be taken to insure that problems similar to this will not occur in the future. Please describe the specific remediation steps that will be taken and the timeline for those to be completed
- Specific to "routinely test with a certificate linter all our production", which I am interpreting as post-issuance linting, what is the date when you expect to begin linting all issued certificates? Are there plans to implement pre-issuance linting? When? If not, why?
- Has Certinomis performed a complete review of all certificates issued during this migration and reported all additional misissuance that was found as a result of the investigation?
|
|
||
Comment 5•6 years ago
|
||
Hello Wayne,
Please find below answers to your questions :
-
The decision to migrate has been taken in decembre 2017 with a planned shutdown date of the old system on June the 30th.
The migration project has been realised on a six month periods. During this time the main attention has been given to (1) not
lossing useful data from the previous system and (2) setting up an operational system.
All certificate templates (almost 50) had to be entered in the system and the engineer who did typed wrong information for
some of them. -
This demonstrate the utility of linting. So, if and when we would install a new PKI software, we will run the linter on a
batch of test certificates to check that the configuration is ok before starting production. -
Yes we will start with post issuance linting. This is a timeframe reason : we can rapidly (before 15th of march) start the
control by the internal audit team. But we will need longer time to install the linter on our PKI for pre-issuance linting.
So the decision is to start now with post issuance control, so that we will be more reactive in the future in case of any
problem. And later in the year, at a time of roughly six months I would say, we will install pre-issuance linting on the PKI. -
The complete test with all certificates issued from the migration will be performed by the internal audit team when they will be
ready with their tool.
Kind regards,
François
|
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
Has the "control by the internal audit team" described in comment 5 been completed?
|
|
||
Comment 7•6 years ago
|
||
Dear Wayne,
Both certificates are revoked and post issuance linting control by the audit team is effective since 1st of April.
Kind Regards,
François
|
|
||
Comment 8•6 years ago
|
||
Dear Francois,
My understanding from your response to other bugs (1539531) is that pre-issuance linting is now operational. Will you please clarify if pre-issuance linting is now occurring for all certificates issued by Certinomis, and if that has replaced post-issuance linting or if both pre- and post-issuance linting are now occurring?
Thanks,
Wayne
|
|
||
Comment 9•6 years ago
|
||
Dear Wayne,
Yes pre-issuance is now occurring for all SSL certificates.
Nonetheless post-issuance is also going on (with another linter if my memory is good) because it is the job of the audit team.
Kind regards,
François
|
|
||
Comment 10•6 years ago
|
||
It appears that remediation is complete.
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•