Closed Bug 1706860 Opened 8 months ago Closed 6 months ago

Microsoft PKI Services: Certificate Mis-Issuance, DNSName is not FQDN, Preferred Name Syntax


(NSS :: CA Certificate Compliance, task)


(Not tracked)



(Reporter: johnmas, Assigned: johnmas)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Edg/89.0.774.77

Type: defect → task
  1. How your CA first became aware of the problem.

Microsoft PKI Services has identified three certificates that have been mis-issued because they have a DNSName that is not a Fully Qualified Domain Name (hyphen at the end of a label) in the SAN. We discovered this on 20 April 2021 at 1:40 PM while investigating preferred name syntax errors related to a bug that was opened last week ( We are still in the process of scanning for other preferred name syntax issues in our certificates and will provide updates as we continue this search.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Note: Times are listed in the Pacific time zone.
• 15 April 2021 07:32 AM – Bugzilla incident 1705419 opened.
• 15 April 2021 03:45 PM – Updated internal linting tools to improve the check for preferred name syntax in SAN.
• 20 April 2021 01:40 PM – Checked issued certificates for hyphen at end of label in DNSNames and discovered three (3) certificates have been mis-issued because their DNSName is not FQDN (due to specific syntax, hyphen at end of label).
• 21 April 2021 10:59 AM – confirmed all three (3) certificates have been revoked and the appropriate CRLs are published.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

We never stopped certificate issuance related to the issue, because we were able to verify that the updated preferred syntax name controls that we added to our internal linting tools last week (15 April 2021) prevent these types of certificates from be issued by our systems going forward.

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

There are three (3) certificates that we have found with this issue. All three (3) have now been revoked.,cablint,x509lint (issued 11 Nov 2020),x509lint,zlint (issued 20 Jan 2021),cablint,zlint (issued 20 Jan 2021)

  1. In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

See the above for links to certificates.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We are still investigating the root cause of this incident. It appears to be similar to the cause of a Bug from last week with a similar syntax issue ( We will provide more details as we dig into our investigation.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

• We have reviewed all TLS certificates that Microsoft PKI Services has issued for this syntax error (hyphen at the end of a label) and we have only discovered the three certificates listed above.
• All three (3) certificates were revoked within 24 hours of us discovering they had this syntax error.
• We updated our internal linting tools last week (April 15) to address preferred name syntax errors and upon this discovery (of this new issue) we revalidated that our production system will now catch these specific errors (hyphen at the end of a label in the SAN).
• We will continue to review our Issued Certificates for other preferred name syntax errors and report results here.

Assignee: bwilson → johnmas
Ever confirmed: true
Whiteboard: [ca-compliance]

Microsoft PKI Services has completed a review of all certificates that we have issued and there are no additional certificates, aside from the three (3) identified in this report and the five (5) identified in that have issues with Preferred Name Syntax.

As stated above, we updated our internal linting tools on 15 April 2021 to address preferred syntax name errors going forward.

We have determined that the Root Cause and remediation for these Preferred Syntax Errors is identical to the first Bugzilla bug we opened on this topic, and we are tracking additional remediation's in that bug.

We ask that this bug be resolved and that remediation's be tracked in the first bug on this topic

I will close this bug on or about Friday, 4-June-2021, unless there are reasons to keep it open.

Flags: needinfo?(bwilson)
Closed: 6 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.