Telia did mass lint scan to all its SSL certificates on Friday, February 8, 2019 to find all old certificates that are invalid. This mass scan revealed 9 previously unknown invalid certificates in 6 different error categories:
a) 2 CN IP value incorrectly in SAN DNS field (e_dnsname_not_valid_tld)(created in 2016)
b) 1 FQDN value incorrectly in SAN rfc822 field (e_ext_san_rfc822_name_present,e_subject_common_name_not_from_san)(created in 2016)
c) 1 CN SAN had leading space (e_dnsname_bad_character_in_label,e_subject_common_name_not_from_sa)(created in 2016)
d) 1 CN FQDN without domain part (e_dnsname_not_valid_tld)(created in 1Q2017)
e) 1 invalid wildcard format (e_dnsname_left_label_wildcard_correct)(created in 1Q2018)
f) 3 invalid OU value "-" (e_subject_contains_noninformational_value)(created in 2017-2Q2018)
Category b) incident report is in this bz. Others are in other incident reports created by Telia.
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
Telia did mass lint scan to all its SSL certificates on Friday, February 8, 2019.
- A timeline of the actions your CA took in response.
Friday, February 8, 2019: Discovery by Telia itself
Friday, February 8, 2019: Preliminary analysis of the issue by Telia Security Board (e_ext_san_rfc822_name_present,e_subject_common_name_not_from_san). Not critical but invalid according to BR 126.96.36.199, rule7 thus decision was: "Should be revoked within 24 hours and MUST revoke a Certificate within 5 days"
Friday, February 8, 2019: Revoked by Telia CA
Monday, February 11, 2019: Quick analysis that confirmed that similar error can't happen in current Telia systems.
February 11-15: Root cause analysis: This certificate was internal Telia CA certificate. It was exceptionally created by one of the administrators using CA console which had complex GUI at the time (Sep 2016). Administrator has manually selected an incorrect field when performing CN to SAN copy because of human mistake.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Telia has completely stopped using the console GUI in early 2018 that caused the issue. Also the issuer creating these kind of technical certificates has been closed in 2018 (TeliaSonera Gateway CA v2). Now certificate profiles prevent from using other than SAN DNS or SAN IP field.
- A summary of the problematic certificates.
- The complete certificate data for the problematic certificates.
Only one of this kind exists. Affected certificate has CN value "puolukka.cover.sonera.net" and has serial 66429e46fea54a99d27a0858c0794768 and was created September 26, 2016 for three years. It can't be found from CT logs but Telia can give details of it if asked.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Check root cause analysis above why this happened. This wasn't detected before by Telia, browsers, auditors or community because a) it caused no problems, b) it was used by ldap server only, c) it wasn't logged to CT, d) creation method was exceptional, e) Telia didn't do lint check for old certificates before now. If similar problem would happen now the issue would be detected because of regular lint checks by Telia.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Telia has already resolved this like described above.