Closed Bug 1725043 Opened 4 months ago Closed 2 months ago

Network Solutions: 2021 Audit Observation #3


(NSS :: CA Certificate Compliance, task)


(Not tracked)



(Reporter: bwilson, Assigned: keith.mckenney)


(Whiteboard: [ca-compliance])

Assignee: bwilson → keith.mckenney

Network Solutions is required to file an Incident Report -

Flags: needinfo?(keith.mckenney)

Do we know which batches these were in, as reported in bug #1645686? And if these certificates were handled in that bug, then why wasn't that bug number referenced in the audit reports?

Do we know which batches these were in, as reported in bug #1645686?

One certificate revoked August 15:

The remaining seven certificates revoked October 26:

And if these certificates were handled in that bug, then why wasn't that bug number referenced in the audit reports?

The Subordinate CAs that issued the leaf certificates fall out of scope of the Network Solutions audit and were disclosed in Sectigo’s audit report for the same period, for which they were in scope. The reason for this decision is that BDO elected to treat NetSol-branded Sub-CAs that chain only to Sectigo Roots as "managed CAs" that are only in scope for Sectigo's audit. BDO considers Network Solutions to be the CA Owner of Sub-CAs that chain to our own roots (irrespective of whether or not a cross-certified chain up to a Sectigo Root also exists).

My question was not for the revocation date for these certificates. I am trying to verify the statement that bug 1645686 identified and reported all of the certificates in question. The URLs with certificate serial numbers are not as helpful as the references used in bug 1645686, which were SHA256 hashes, database cert IDs, and batch numbers from (which then reference database cert IDs). Even a pointer to a particular comment # in bug 1645686 would help. I'm just having a hard time correlating your list of certificates with those certificates reported in bug 1645686.

Flags: needinfo?(keith.mckenney)

(In reply to Ben Wilson from comment #5)
Seven of these certificates were included in batch 185, which was mentioned in bug 1645686, comment 56:

The remaining three were included in multiple places in our records of the certificate list to be uploaded. However, they are not visible in any batch we can find on Our best surmise is that we experienced an error when adding these certificates to, which were already revoked at that time. As our current practice is to include affected certificates directly in the relevant bug (as text, the way you see here, for short lists and in attached files for longer lists), we do not expect repetition of this error.

The certificates missing from that batch are:


Flags: needinfo?(keith.mckenney)

As a matter that is directly relevant to this conversion, Network Solutions and Sectigo have decided to transition the Network Solutions and branded digital certificate businesses entirely to a managed CA model, managed by Sectigo.

We intend to announce a target transition date and other relevant details by the end of this month.

We are working on a full writeup for this incident.

Note that Sectigo provided a full writeup of the original issue in bug 1645686 comment 61, with a great deal of additional discussion among the community on that thread. Please see that thread and that comment for discussion of the original issue.

This writeup will cover the three missing certificates from the original writeup.

1. How your CA first became aware of the problem

In its role providing information to us in response to Ben’s question in comment 5, Sectigo discovered that three affected Network Solutions certificates were not visible at, despite internal records indicating that they had been added. Sectigo informed us of that discovery.

2. Timeline

August 10, 2021
Ben Wilson writes up this bug based on our recent WebTrust reports.

August 13
After investigation, we conclude that this incident is a duplicate for bug 1645686 and express that belief in comment 2.

August 16
Ben asks for specifics of where these certificates were reported in comment 3.

August 26
Ben clarifies in comment 5 that he’s looking for specifics of when they were reported, not when they were revoked.

August 26 to September 13
We quickly identify seven certificates by where and when they were reported. Unable to find the other three, we recruit Sectigo’s help. Sectigo eventually concludes that, although it possesses multiple internal records including these certificates for uploading to, for an unknown reason those certificates are not visible in the expected batch. This failure to report was unknown until this investigation.

September 14
In comment 6 Sectigo explains its conclusion and reports the missing certificates.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

This writeup is regarding failure to report certificates, not the original misissuance. The original misissuance was resolved in 2020 and covered in bug 1645686.

4. Summary of the problematic certificates

Three certificates were not reported in bug 1645686, issued between December 18, 2019 and April 10, 2020.

5. Affected certificates

The certificates that were not reported successfully are:

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now

During its response to bug 1645686 Sectigo chose to load identified certificates to in what eventually was batch 185. Internal records for this batch included these three certificates, in addition to the seven reported. However, these certificates do not currently appear in that batch, or any other batch that we can identify.

We have been unable to determine the process or software error that led to these certificates failing to appear.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future

As described in comment 6, Sectigo has ceased using for reporting certificates on Bugzilla, in favor of direct reporting. The direct reporting model will not result in this same error again.

Network Solutions is moving all our remaining CA operations to a pure managed service from Sectigo. Once our existing certificates have expired out, we will cease to behave as an active CA on Bugzilla. We have targeted a full transition to the managed service on or before November 8, 2021.

Are there any other questions on this issue?

Ben, this discussion appears to have run its course. Should we close this bug?

Flags: needinfo?(bwilson)

I'll close this on Wed. 20-Oct-2021.

Closed: 2 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.