Closed Bug 1542793 Opened 5 months ago Closed 4 months ago

Certinomis: Invalid SAN in a certificate

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: francois.chassery, Assigned: francois.chassery)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

Actual results:

Here is an incident report align the mozilla template :

1/ How your CA first became aware of the problem.
After a notification of Alex TAYLOR posted on friday evening.
And by the internal bug report received on monday morning.

2/ A timeline of the actions your CA took in response.

05/04/2019 14:42:27 : issuance of a certifcate whith an empty SAN
08/04/2019 14:59:55 : revocation of the certificate
08/04/2019 15:10:16 : issuance of one certificate with an empty SAN
08/04/2019 15:12:50 : revocation of the certificate

3/ Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
the cause has been identified and the problem is now corrected

4/ A summary of the problematic certificates.
2 certificates "vsmp-ada.net-courrier.extra.laposte.fr"

5/ The complete certificate data for the problematic certificates.
https://crt.sh/?id=1352972593
https://crt.sh/?id=1363525547

6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The request made by our mother compny's RA (always for the domain name "laposte.fr" are created by technicians under the forme of a CSR).
The registration operator who validated the request did not care that an empty space had been entered by mistake.

7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
This RA will be disabled tomorrow, and that will last until pre-issuance linting will be operative on our PKI.

Assignee: wthayer → francois.chassery
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]
Summary: invalid SAN in a certificate → Certinomis: Invalid SAN in a certificate

Hello,

For confirmation, ALL external RAs have been disabled until pre-issuance linting will be operational (scheduled end of April).

Kind Regards,

François

Flags: needinfo?(francois.chassery)
Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 01-May 2019

Francois: Could you provide more details about the flow of the RA entering domains? That is, it's not clear how the RA entering or not noticing the space would cause this issue, and so understanding more about the operational flow of how the order process works is important to understanding the root cause.

Hello Ryan,

The RA does not enter the domain.
Only Certinomis does.
When an operator of an external RA validates a certificate request it can only do for a domain or for subdomains of a domain, that has been previously controlled and authorized for this RA by Certinomis.

For instance, the RA involved in the certificate of bug 1542793 can only validate certificates whose CN will end by ".laposte.fr"
And if they would want to validate a certificate ending by ".laposte.net" that is owned by the same company LA POSTE, they would need to ask to Certinomis to authorise this domain for them.

This precised, here is the process for obtaining a certificate with a CSR :

  • a technician generates a CSR on a server;
  • he passes it to an RA operator;
  • the operator checks whether this demand is legitimate or not (internal procedure of the RA);
  • the operator copy-pastes the CSR in the operator's GUI;
  • the GUI displays the information that are going to be contained in the certificate (CN, SAN, Locality, State) and the identity of the person in charge of the server;
  • the operator controls the displayed information and if OK, validates the certificate request.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

The priority flag is not set for this bug.
:kwilson, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kwilson)

(In reply to Release mgmt bot [:sylvestre / :calixte] from comment #4)

The priority flag is not set for this bug.
:kwilson, could you have a look please?

For more information, please visit auto_nag documentation.

Changed the bug type to Task, so it will not be part of Mozilla's regular bug triage process.

Type: defect → task
Flags: needinfo?(kwilson)

Hello,

Pre-issuance linting is now operational.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

It appears that remediation has been completed.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(francois.chassery)
Resolution: --- → FIXED
Whiteboard: [ca-compliance] - Next Update - 01-May 2019 → [ca-compliance]
You need to log in before you can comment on or make changes to this bug.