Closed Bug 1586604 Opened 2 years ago Closed 2 years ago

DigiCert: TERENA: No localityName in EV precert


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: michel, Assigned: jeremy.rowley)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I found two unrevoked EV precertificates issued by TERENA that don't have a localityName in subject:,ocsp,ocsp

I couldn't find corresponding leaf certificates.

Assignee: wthayer → jeremy.rowley
Type: defect → task
Ever confirmed: true
Summary: TERENA: No localityName in EV precert → DigiCert: TERENA: No localityName in EV precert
Whiteboard: [ca-compliance]

Locality is not a required field. Per Section 9.2.6 of the EV Guidelines, a state or locality is required, but not both. This is a false positive.

(Note that the EV Guidelines actually reference the BRs in the section. )

Certificate Field: subject:localityName (OID:
Required if the subject:organizationName field, subject:givenName field, or subject:surname
field are present and the subject:stateOrProvinceName field is absent.
Optional if the subject:stateOrProvinceName field and the subject:organizationName field,
subject:givenName field, or subject:surname field are present.
Prohibited if the subject:organizationName field, subject:givenName, and subject:surname
field are absent.
Contents: If present, the subject:localityName field MUST contain the Subject’s locality
information as verified under Section If the subject:countryName field specifies the
ISO 3166-1 user-assigned code of XX in accordance with Section, the
localityName field MAY contain the Subject’s locality and/or state or province information as
verified under Section

The certificate includes the state, but not the locality, which is appropriate for this organization.

I agree with Jeremy that's opt=cablint feature is showing a false positive here. A Pull Request was opened well over a year ago to fix this upstream (, but unfortunately it's still waiting.

opt=x509lint also reports a false positive at the moment. As it happens, I opened a few days ago to fix this upstream. (BTW, on this PR I noted how unfortunate/misleading it is that EVG 9.2.6 still has a "(where applicable)" next to "State or province", even though "City or town" is now equally optional).

opt=zlint doesn't report a false positive. ZLint seems to be much more actively maintained than certlint/cablint or x509lint these days.

I'm sorry for this misreport. I saw that both tools reported an error, so I assumed that there is an issue and I didn't read the Guidelines again. I will try to be more careful in the future.

Closed: 2 years ago
Resolution: --- → INVALID

No problem Michel! Thanks a ton for the input and flagging it.

You need to log in before you can comment on or make changes to this bug.