Closed Bug 1910195 Opened 1 year ago Closed 1 year ago

IdenTrust: Invalid special characters in S/MIME Certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Steps to reproduce:

Preliminary Incident Report

###Summary:
We are currently investigating an issue concerning special characters in the subject of S/MIME certificates, affecting 1 active and 1 revoked S/MIME certificates.

The problem involves incorrect encoding of special characters in the Subject's common name field not in line with section 7.1 of the RFC-5280.

###Current Actions

  • Revoking the active certificate
  • Updating the configuration to stop mis-issuance – already completed
  • Gathering information for root cause analysis

We will disclose a complete Incident report by August 9, 2024

Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [smime-misissuance]

FINAL REPORT

Summary

There was a configuration issue that caused improper encoding of the special character in the Subject's common name field which is not in line with section 7.1 of the RFC-5280 for one of our customer’s accounts. This was discovered by our engineering team. After investigating the issue further, we were able to confirm that two certificates presented the same issue.

Impact

The issue resulted in a mis-issuance of two S/MIME certificates. One of the certificates was active while the other was revoked.

Timeline

All times are MT.

2024-06-20: We were notified by our customer that a certificate generated on 2024-06-18 was not working with their system

2024-06-21: An improper encoding special character in the subject common name field was discovered. We updated the client profile to prevent similar issues

2024-06-25: The certificate generated on 2024-06-18 was revoked and a new certificate was generated

2024-06-27: The client reached out confirming they are running into the same issue. We continue to work with the customer to investigate the issue further

2024-07-23: The engineering team discovered one mis-issued certificate which was revoked on 2024-06-25

2024-07-24:
• 12:30 A further investigation was initiated to confirm if there were any additional affected certificates
• 14:00 A preliminary list of 18 potentially affected certificates was identified.

2024-07-25: We ran all the 18 potentially affected certificates certs through the linter tool manually and identified 2 mis-issued certificates. 1 active and 1 revoked certificate (revoked 2024-06-25) were identified

2024-07-26:
• 12:21 We notified the customer to revoke the affected certificate
• 14:11 The client confirmed the issue was fixed

2024-07-29: The active certificate was revoked and replaced

Root Cause Analysis

• Configuration issue that caused improper encoding of the special character in the Subject's common name field
• PKILint was not properly configured for this account as a result the certificate did not complete the linting process

Lessons Learned

• Ensuring that the linting is configured for all accounts
• The PKI team made a change in the configuration to fix the encoding issue but didn’t realize that other certificates could be affected and it
violates the RFC-5280 encoding requirements

What went well

• Revocation of the affected certificate was completed within the permissible timeline
• Publishing of the preliminary report was completed within the permissible timeline

What didn't go well

• The PKI team made a change in the configuration to fix the encoding issue but didn’t realize that other certificates could be affected and it
violates the RFC-5280 encoding requirements
• PKIlint was not configured properly for this account type as a result the linting did not occur

Where we got lucky

Only one of the two certificates affected was active which ensured timely revocation and reduced disruption to the client processes.

Action Items

| Action Item | Kind | Due Date |

| Configure the PKIlint tool to scan all SMIME certificate accounts | Prevent | Completed |

| Implement a process to include the linting configuration as a part of enterprise customer onboarding | Prevent | 2024-08-31 |

We would like to confirm that we have successfully implemented the linting process for both existing and new enterprise customers. As a result, we consider this issue resolved.

I'll take a look at closing this on Friday, 6-Sept-2024.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.