1. How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date.
On 02/04/2019 during an internal systems review, our engineering team discovered a discrepancy in the values of the Locality, State and Country of the Subject field for some SSL certificates when compared to the same values we had on record for the applicant organization. Immediately on the same day, we started to investigate the issue and confirmed that the discrepancy exited in 12 SSL certificates. We determined that the discrepancy was introduced during a renewal request with very specific set of actions by the applicant during the renewal process. All 12 certificates were reviewed and the discrepancy for each certificate was determined to not warrant revocation within 24 hours; however, all 12 certificates were revoked within 4 days.
2. Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below.
As of 02/04/2019, we have stopped issuing any certificates with this discrepancy. A procedural fix was implemented on 02/04/2019 with a permanent production system fix implemented on 02/05/2019 as described in item #6 below.
3. Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
Below is the list of 11 certificates's crt.sh ID plus one attached as .cer file. All of them are revoked at this time.
1119671865; 1119666862; 1078914111; 1078905183; 1078896499; 1078885688; 1078698472; 1078688677; 216515295; 179499444; 181538487.
4. Summary of the problematic certificates. For each problem listed below:
number of certs, date first and last certs with that problem were issued.
The 12 certificates were issued between 3/17/2017 and 1/17/2019
5. Explanation about how and why the mistakes were made, and not caught and fixed earlier.
During renewal request, the subscriber is presented with two addresses: the organization main address and a mailing address. The subscriber has the option to update the mailing address. Due to incorrect system configuration, an update to the mailing address triggered an update to the certificate data used to issue the certificate. This issue was not caught earlier as updates of mailing address during renewal are very rare as demonstrated by the fact that only 12 certificates had this discrepancy.
6. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Effective 02/05/2019 we implemented an update in our system to ensure that for any renewal request only the organization main address Locality, State and Country will be minted in the certificate.