Closed Bug 1551390 Opened 4 months ago Closed 4 months ago

Certinomis: 174 certificates with unknown OCSP status

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: francois.chassery)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

I checked the OCSP status of all 1,714 unexpired (pre)certificates issued by Certinomis that are known to CT. 174 have "unknown" status. I've attached a list of crt.sh links.

Note that I deduplicated certificates and precertificates.

See also Bug 1551357 and Bug 1544933.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Here is an incident report align the mozilla template :

1/ How your CA first became aware of the problem.
After opening of bug by Andrew AYER

2/ A timeline of the actions your CA took in response.

07/08/2019 issuance of pre-certificate without creation of a certificate (EASY CA and AA & Agents CA)
16/04/2019 opening of bug 1544933 that points a problem with pre-certificates
06/05/2019 : settings of all certificate profiles to WEB CA which has not the problem
13/05/2019 issuance of pre-certificate on EASY CA
14/05/2019 start of a comprehensive round of control and test of every certificate profile
14/05/2019 freeze on certificate issuance until the control and test will be completed

3/ Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
Yes we stop all issuance prior an extensive control of certificate profile

4/ A summary of the problematic certificates.
174 pre-certificates compiled in the file https://bugzilla.mozilla.org/attachment.cgi?id=9064656
(most are duplication of the same request)

5/ The complete certificate data for the problematic certificates.
174 pre-certificates compiled in the file https://bugzilla.mozilla.org/attachment.cgi?id=9064656

6/ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
There is a problem on the PKI supporting EASY CA with CT Log : requests are sent even when the certificate is not issued, as it has been stated in bug1544933. But we did not came to the conclusion, which seems obvious now, that the OCSP response is "unknown"
Many of the occurence are for the same request non functionning ("PESV2HARVEY.ch-rueil.fr" for instance or "mediatheque-lecannet.fr")

7/ List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future.
Decision had been made to transfer all certificate issuance on two CA based on a new instance of EJBCA that does not encounter the problem.
As it has been found in bug 1551357 some profile had not been treated so we stop any SSL certificate issuance from now on until a unit testing of every product in the RA application will demonstrate that none will adress EASY CA anymore.
For revocation of these pre-certificate we have a meeting with EJBCA this afternoon to discover how to revoke a non-issued certificate
It is unlikely to procure something else than "unknown" for OCSP status

Flags: needinfo?(francois.chassery)

Here's a tally of number of unknown certificates per issuer:

 84         Issuer: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - AA et Agents
 81         Issuer: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Easy CA
  9         Issuer: C=FR, O=Certinomis/2.5.4.97=NTRFR-433998903, CN=Certinomis - Web CA

As you can see, "Web CA" has the problem also.

I also see 30 distinct common names among these certificates. The most common CN, PESV2HARVEY.ch-rueil.fr, is in 40 certificates. Therefore it is not accurate to attribute "most" of these certificates to the same request.

It seems that Certinomis' analysis of this problem is incomplete.

07/08/2019 issuance of pre-certificate without creation of a certificate (EASY CA and AA & Agents CA)

This date in comment #1 appears to be incorrect.

Assignee: wthayer → francois.chassery
Whiteboard: [ca-compliance]

In the time since I performed my analysis yesterday, Certinomis has issued two new precertificates whose OCSP status is unknown:

https://crt.sh/?sha256=B0FFD894F16455F940ECD529A8F198D0EBCD750BEE9847AB031CF05F88F9FDE9&opt=ocsp
https://crt.sh/?sha256=EF25100C5876707BA4061E0E806DF9E7815BCB10AFA3755B5AE8796EA9210711&opt=ocsp

The issuer of these two precertificates is "Certinomis - Web CA".

Dear Andrew,

Here's a tally of number of unknown certificates per issuer:

84 Issuer: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - AA et Agents
81 Issuer: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Easy CA
9 Issuer: C=FR, O=Certinomis/2.5.4.97=NTRFR-433998903, CN=Certinomis - Web CA

As you can see, "Web CA" has the problem also.

You are right on the figure, but I do not share your conclusion. Indeed, there is a factor eigteen between the two instances : 165 errors for Easy CA + AA&Agents CA and 9 for Web CA. This is how to understand what I wrote : there is a frequent problem on the old instance to receive the CT log answer.So we decide to move on the new one. Which does not mean that there is never a failure in creating a certificate after sendening a CT log query.
But we have found that it is not the same ("the") problem and find it more efficient to focus our effort on only one instance where is also installed pre-issuance linting. May be you have noticed that among the 9 errors on Web CA 6 are on the same day, which is most in favor of an accidental problem than a generic thing (for instance a network trouble or any production problem of that kind).
So we decide to move all products on Web CA and Safe CA.

I also see 30 distinct common names among these certificates. The most common CN, PESV2HARVEY.ch-rueil.fr, is in 40 certificates. Therefore it is not accurate to attribute "most" of these certificates to the same request.

Here I disagree with you.
Indeed, an "s" is missing in my answer point 4 : "most are duplication of the same requetS".
An indication of that plural is that I gave you not a single example but two examples.
So you are right there are 30 domain names involved in 174 errors, because most errors are duplication of the same request, and one third on two domain name that I gave as examples.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

Dear wayne,

Yes I confirm typing error, 07/08/2018 should be read.

Kind Regards,

François

Flags: needinfo?(francois.chassery)

The Certinomis Root CA is being removed from the Mozilla root store in bug 1552374, so I am resolving this bug. Additional comments that may be useful when considering any future application by Certinomis are welcome.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(francois.chassery)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.