Closed Bug 1831004 Opened 2 years ago Closed 2 years ago

IdenTrust: duplicate Certificate in error flagged by OCSP Watch

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [ocsp-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

Steps to reproduce:

Yesterday May 1, 2023 we noticed that an IdenTrust issued certificate is being flagged in error by sslmate OCSP Watch since March 23, 2023.
Yesterday May 1, 2023 we noticed that an IdenTrust issued certificate is being flagged in error by sslmate OCSP Watch since March 23, 2023.

We are investigating the cause for that flagging and will supply an incident report by May 12, 2023.

Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [ocsp-failure]

(In reply to IdenTrust from comment #0)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

Steps to reproduce:

Yesterday May 1, 2023 we noticed that an IdenTrust issued certificate is being flagged in error by sslmate OCSP Watch since March 23, 2023.
We are investigating the cause for that flagging and will supply an incident report by May 12, 2023.

Complete Incident Report:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On May 1, 2023 we noticed that an IdenTrust issued certificate was flagged by sslmate OCSP Watch with an “unauthorized” status. Upon investigation, we discovered that the certificate in error was a precertificate pending a retrieval or revocation status update. Further investigation revealed that this was a duplicate instance of a certificate that was properly processed on March 23, 2023, leaving this pre-certificate with an invalid status.

As pre-certificates must be treated the same as certificates under CA/B Baseline Requirements for TLS /Server Certificates, this is a violation of section 4.10.2 failing to provide a correct OCSP status within 10 seconds or less.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

2023-05-01 11:26 MST: Internal CA/B F support team noticed OCSP Watch flagging IdenTrust with one certificate in error.
2023-05-02 12:21 MST: PKI team started investigation by reviewing ed internal logs for 2023-03-23 activity (date shown in OCSP Watch for the certificate flagged in error) and after an exhaustive review, concluded that this was a duplicate instance of an OV TLS precertificate for which the initial certificate application was submitted twice by the requestor. Here is timeline for the events that took place on 2023-03-23:

2023-03-23 10:53:44,890 MST: First OV TLS certificate request received (Cert-A)
2023-03-23 10:53:44,895 MST: Second OV TLS certificate request received (Cert-B)
2023-03-23 10:53:45,305 MST: CAA check validation passed for Cert-B
2023-03-23 10:53:45,306 MST: CAA check validation passed for Cert-A
2023-03-23 10:53:45,550 Created and disclosed precertificate Cert-A to CT logs publishing Serial Number: 4001870f640359c9be1ce585953c1897
2023-03-23 10:53:45,683 MST: Created and disclosed precertificate Cert-B to CT logs publishing Serial Number: 4001870f6404096b2cbdd56c2f0fe474
2023-03-23 10:53:46,650 MST: Customer initiated certificate retrieval
2023-03-23 10:53:46,685 Error pulling individual SCT / Error storing value in cert_sct
2023-03-23 10:53:46,689 MST: Retrieval successfully completed for Cert-A removing poison extension on precertificate serial number 4001870f640359c9be1ce585953c1897
2023-03-23 10:53:46,699 ERROR: Problem making delayed ssl cert with activation:Error retrieving SCT List for cert

Removal of the poison extension on Cert-B would never happen as the update on Cert-A successfully completed the process from the customer side, flagging the reported error by the OCSP Watch monitor.

2023-05-09 16:28 UTC: PKI team revoked Cert-B (https://crt.sh/?id=8966564417) and confirmed that the certificate was no longer visible in OCSP watch.
3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Yes.
4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

One pre-certificate issued on 2023-03-23
5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

https://crt.sh/?id=8966564417

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    The instance of the precertificate in error was caused by a duplicate certificate application/process: Two certificate applications were received for the same certificate causing two precertificates disclosure into CT logs, but upon processing the real certificate, the second precertificate was left unattended in the CT logs due to the successful retrieval of the initial application. As the intended certificate was issued as expected, our systems did not detect a pending precertificate in CT logs until it was flagged by the OCSP watch monitor.

  2. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    The precertificate flagged in error by the OCSP Watch Monitor has been revoked clearing the issue.

We plan to update our systems by June 30, 2023 to check for duplicate certificate applications and reject them to prevent recurrence of this issue.

A status update will be provided no later than May 31, 2023.

We are on track to deploy the update to prevent recurrence of this issue.
A status update will be provided on or before June 30, 2023.

Summary: IdenTrust Certificate in error flagged by OCSP Watch → IdenTrust duplicate Certificate in error flagged by OCSP Watch

On June 1, 2023 we deployed a fix to prevent recurrence for this issue - We have no additional updates and consider the issue resolved.

I'll close this next week on Wed. 28-June-2023 unless there are any questions or issues still to address.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Summary: IdenTrust duplicate Certificate in error flagged by OCSP Watch → IdenTrust: duplicate Certificate in error flagged by OCSP Watch
You need to log in before you can comment on or make changes to this bug.