KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: piotr.grabowski, Unassigned)
Details
Incident Report
Summary
An incident occurred where 1 intermediate certificate was incorrectly issued.
Certificate Policies extension in SZAFIR Trusted CA3 Intermediate CA were missing Reserved Certificate Policy Identifiers that indicate adherence and compliance with S/MIME BR .
We were first notified by an email message from Rob Stradling posted to kontakt at kir.pl.
Impact
1 Intermediate CA certificates issued on Oct 11, 2023 – 10:49 UTC.
Due to the fact that given Intermediate CA is operational and issued almost 10K end user (EE) certificates (smime and mainly client authentication) which are used in critical infrastructure and cannot be safely replaced. The impacted certificate has not yet been revoked. We are developing a plan to safely switch issuance to the new intermediate CA certificate and retire or revoke Szafir Trusted CA3 intermediate CA certificate. We will post the migration plan until Oct 11, 2025.
Timeline
Sep 25, 2024 – 11:33 UTC – Rob Stradling posts an email message to kontakt at kir.pl.
Sep 26, 2024 – 09:52 UTC – We began a preliminary investigation.
Sep 26, 2024 – 11:11 UTC – Piotr Grabowski from KIR WebPKI team responds to Rob’s message that KIR already started analyzing the issue.
Sep 26, 2024 – 12:44 UTC – Rob Stradling posts an email message to Piotr Grabowski from KIR WebPKI team with thanks to acknowledging.
Sep 27, 2024 – 06:30 UTC – Intermediate CA certificate profile was updated to be compliant with S/MIME BR.
Root Cause Analysis
Unlike EE certificates, which are automatically verified, our process for issuing intermediate CA certificates involves several manual steps and it based on dedicated procedure for CA generation. During the CA certificate generation on October 11, 2023 the updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field. The operator during the generation ceremony performed actions according to the procedure and used the wrong value from the procedure.
Lessons Learned
What went well
What didn't go well
The updated procedure for CA generation contained an incorrect value in the Certiifcation Policy field.
Where we got lucky
Action Items
Action Item | Kind | Due Date |
---|---|---|
Updated our procedures for the generation of CA certificates to include all possible extensions and DN values | prevent | Sep 27, 2024 (completed) |
We have included an additional check by the dedicated person from compliance department to validate the procedure before the use to generate a certificate | prevent | Sep 27, 2024 (completed) |
Reviewed all certificate profiles on our CA system | prevent | Sep 27, 2024 (completed) |
Implement automatic linter for intermediate CA certificates checks | prevent/detect | Oct 4, 2024 (TODO) |
Migration plan and revocation date of impacted certificate | mitigate | Oct 11, 2024 (TODO) |
Based on Incident Reporting Template v. 2.0
Description
•