Because of an unplanned event related issuance of a CRL during a maintenance change the CRL was issued incorrect and contained mistakenly entries of not revoked certificates.
Actually no revocation lists should be created during the change. It was planned to create a revocation list after the database update.
Note: The incorrect CRL contained entries from not revoked certificates, but all really revoked certificates were included correctly in the CRL. There was no security issue concerning the possibility of using revoked certificates.
1.How your CA first became aware of the problem, and the time and date.
2020-07-23 06:22 CEST: We were informed about an incident from our internal management center.
2.A timeline of the actions your CA took in response.
2020-07-22 07:54 CEST Start of the change, beginning with preparing actions.
2020-07-22 12:50 CEST Access to the customer portal has been blocked.
2020-07-23 03:56 CEST Not planned, but event related issue of a new CRL. This CRL was incorrect.
2020-07-23 06:22 CEST We were informed about an incident from our internal management center.
2020-07-23 07:00 CEST First conference call to this incident. The current change was assumed to be in relationship to the error.
2020-07-23 07:10 CEST Start of verification actions due to confirming a possible relationship.
2020-07-23 08:10 CEST The faulty rountine was found and stopped. Begin of mitigating actions.
2020-07-23 08:33 CEST Erroneous Database records fixed.
2020-07-23 08:48 CEST Publication of a new CRL as a planned Task of the change.
2020-07-23 09:45 CEST Further external Tests completed. Status requests about all certificates (the affected ones and all others) are correct.
2020-07-23 11:08 CEST Evaluation of the affected customers, preparation of the customer letter.
2020-07-23 14:40 CEST Shipping of the customer letter.
2020-07-24 15:15 CEST 24 h safeguarding phase (awaiting customer feedback) completed. QA-Task of the change was closed.
2020-07-24 15:34 CEST Access to the customer portal has been activated again.
3.Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
No certificates could be issued during the customer portal was blocked.
4.In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates, please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
There were no misissued certificates. 907 valid certificates (with the meaning of not revoked) from “TeleSec ServerPass Class 2 CA” were mistakenly put in the CRL.
5.The complete certificate data for the problematic certificates.
Serial numbers of the affected certificates are attached.
6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Within the planned change, faulty data was transferred to a clean-up script due to a software error. This also mistakenly deleted active customer accounts that should not be deleted. As a consequence of this deletion, the certificates of the affected customer accounts were marked for inclusion in the revocation list and an erroneous event related CRL was issued unplanned. The plan was, that the revocation list had to be issued only after the completion of the database update within the context of the Change.
7.List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
Planned modification of the software: In the course of automated scripts, customer accounts are no longer deleted directly, but are first deactivated, checked and only then released for deletion.