User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
This is an incident report for the issue according to https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We became aware during our regular crt.sh lint tools review.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
May 6, 2019 16:51 GMT – The first certificate with Common Name value not from Subject Alternative Name was issued.
May 7, 2019 12:41 GMT – The second certificate with Common Name value not from Subject Alternative Name was issued.
May 8, 2019 05:00 GMT – We became aware of these two misissuances.
May 8, 2019 05:50 GMT – We found the reason for these two misissuances.
May 8, 2019 06:00 GMT – We blocked possibilities of issuance of further certificates with such error by disallowing the possibility of making a correction (workaround).
May 8, 2019 14:00 GMT – We finished scan our certificates database. We did not find any other certificates with such error.
May 8, 2019 16:00 GMT – We prepared fix for software and decided to deploy it on production in the next scheduled deployment (at the end of May).
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
May 8, 2019 06:00 GMT.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
First certificate notBefore date: May 6 16:51:00 2019 GMT.
Last certificate notBefore date: May 7 12:41:31 2019 GMT.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
These certificates have been revoked.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
This mistake is the result of software bug. For the two profiles of our SSL certificates the process of data correction was not implemented correctly. If registration inspector had to change some data in certification request, like Locality Name or Organizational Unit Name, the value from Common Name was removed from Subject Alternative Name.
The bug avoided detection until now because there was no proper test scenario for such case.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We fixed the bug in the software. We plan to deploy it on production at the end of the May 2019.
We added the test scenario for verify whether value from Common Name is present in Subject Alternative Name.
We are in progress of developing the pre-issuance linting and as I mentioned in the other thread, we plan to run it by the end of June 2019.