Note that Sectigo provided a full writeup of the original issue in bug 1645686 comment 61, with a great deal of additional discussion among the community on that thread. Please see that thread and that comment for discussion of the original issue.
This writeup will cover the three missing certificates from the original writeup.
1. How your CA first became aware of the problem
In its role providing information to us in response to Ben’s question in comment 5, Sectigo discovered that three affected Network Solutions certificates were not visible at misissued.com, despite internal records indicating that they had been added. Sectigo informed us of that discovery.
August 10, 2021
Ben Wilson writes up this bug based on our recent WebTrust reports.
After investigation, we conclude that this incident is a duplicate for bug 1645686 and express that belief in comment 2.
Ben asks for specifics of where these certificates were reported in comment 3.
Ben clarifies in comment 5 that he’s looking for specifics of when they were reported, not when they were revoked.
August 26 to September 13
We quickly identify seven certificates by where and when they were reported. Unable to find the other three, we recruit Sectigo’s help. Sectigo eventually concludes that, although it possesses multiple internal records including these certificates for uploading to misissued.com, for an unknown reason those certificates are not visible in the expected batch. This failure to report was unknown until this investigation.
In comment 6 Sectigo explains its conclusion and reports the missing certificates.
3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.
This writeup is regarding failure to report certificates, not the original misissuance. The original misissuance was resolved in 2020 and covered in bug 1645686.
4. Summary of the problematic certificates
Three certificates were not reported in bug 1645686, issued between December 18, 2019 and April 10, 2020.
5. Affected certificates
The certificates that were not reported successfully are:
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now
During its response to bug 1645686 Sectigo chose to load identified certificates to misissued.com in what eventually was batch 185. Internal records for this batch included these three certificates, in addition to the seven reported. However, these certificates do not currently appear in that batch, or any other misissued.com batch that we can identify.
We have been unable to determine the process or software error that led to these certificates failing to appear.
7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future
As described in comment 6, Sectigo has ceased using misissued.com for reporting certificates on Bugzilla, in favor of direct reporting. The direct reporting model will not result in this same error again.
Network Solutions is moving all our remaining CA operations to a pure managed service from Sectigo. Once our existing certificates have expired out, we will cease to behave as an active CA on Bugzilla. We have targeted a full transition to the managed service on or before November 8, 2021.