User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Steps to reproduce:
1 How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
• We were aware of the problem from both EJBCA 63 bit Entropy bit problem reporting in community and internal monitoring after searching our certificates for this entropy problem
2 A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
- March 3; We get an announcement from EJBCA that is our CA software vendor
- March 4,5; We investigate our system and started the fixing other software’s that uses CA data such as RA systems. The size serial number fields were increased.
- March 13,14; All software’s are updated and the serial number length parameter in CA (EJBCA) is set to 16 bytes (128 bits) from 8 bytes
- March 14; We started tı reissue all certificates that are not revoked before or not expired. After reissuing and delivering to the owners new certificates. All existing certificates were revoked.
3 Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
• As of March 13, the reasons of the problems are fixed. No more certificates will be produced with these problems.
4 A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
14 certificates affected from this problem. All of them were revoked or is being revoked. Min and Max issue Dates: 2016.12.16 15:35 - 2019.03.12 23:21
5 The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
An Excel spreadsheet was prepared. https://www.e-tugra.com.tr/portals/6/download/report/CertificatesWith63Entropy.xlsx
6 Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We didn't detect the issue with the linting tools. Cablint does not discover the problem. We realized that only zlint gives this problem as a warning.
7 List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
All Actions are taken. All certificates were revoked and CA settings in EJBCA was fixed.