Closed Bug 1667846 Opened 4 years ago Closed 4 years ago

Izenpe: Certificates not disclosed in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: kwilson, Assigned: o-garcia)

References

Details

(Whiteboard: [ca-compliance])

https://crt.sh/mozilla-disclosures#undisclosed is reporting that the following certificate is not disclosed in the CCADB.

https://crt.sh/?sha256=c7cf9edf18f88c5ce35e9de88c6f5c21ad8a4e742da74cc71468807094d82d6b&opt=mozilladisclosure
Serial Number:
24:c5:c8:aa:56:6f:8e:e8:4c:be:a7:05:5c:e1:64:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: (CA ID: 337)
commonName = Izenpe.com
organizationName = IZENPE S.A.
countryName = ES
Validity
Not Before: Oct 20 08:23:33 2010 GMT
Not After : Dec 12 23:00:00 2037 GMT
Subject: (CA ID: 535)
commonName = EAEko Herri Administrazioen CA - CA AAPP Vascas (2)
organizationalUnitName = AZZ Ziurtagiri publikoa - Certificado publico SCA
organizationName = IZENPE S.A.
countryName = ES

Status: NEW → ASSIGNED

I think someone has added a "NULL" bit at the end of the certificate to create a second SHA2 hash for an already known/disclosed CA certificate.

Indeed, when I search for that serial number in the CCADB, it finds the disclosed certificate.

The "NULL" signature parameters are actually correct for an RSA signature. The problem here is that the signature parameters within the TBSCertificate are missing the required "NULL" parameters, which I suppose means that https://crt.sh/?id=1477430 was misissued (although presumably that occurred in ~2010, before BRs v1.0).

I've deleted the duplicate certificate record mentioned in comment #0 from the crt.sh database so that https://crt.sh/mozilla-disclosures stops flagging it.

Looks like this was a false positive, so closing as INVALID.

However, I encourage Izenpe to consider replacing their old, long-lived intermediate certs with newer BR-compliant certs.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID

We'll keep in mind.
Thanks

Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.