Open
Bug 1963663
Opened 13 days ago
Updated 7 hours ago
Certigna: Multiple Reserved Certificate Policy Identifiers in CA certificates
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: j.allemandou, Assigned: j.allemandou)
Details
(Whiteboard: [ca-compliance] [ca-misissuance])
Preliminary Incident Report
Multiple Reserved Certificate Policy Identifiers in CA certificates.
Summary
- CA Owner CCADB unique ID: A000011
- Incident description:
Chrome Root Program inform us by mail of a violation of TLS Baseline Requirements. In March 2024, CERTIGNA generates new intermediate CA certificates which include multiple reserved certificate policy identifiers. Indeed, the applicable version of TLS baseline requirements (v2.0.2) states at section 7.1.2.10.5 for the “PolicyIdentifier” field that:- “The CA MUST include at least one Reserved Certificate Policy Identifier” but also,
- “This Profile RECOMMENDS that the first PolicyInformation value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see 7.1.6.1)13. Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier.”.
- Relevant policies: TLS Baseline Requirements v2.0.2
- Source of incident disclosure: Chrome Root Program
Impact
Seven CA certificates are concerned, and 286 valid OVCP server certificates are impacted:
- Certigna Server Authentication CA: 0 (certificates only for audit purpose)
- Certigna Server Authentication Auto CA: 0 (certificates only for audit purpose)
- Certigna Server Authentication Auto FR CA: 0 (certificates only for audit purpose)
- Certigna Server Authentication ACME CA G1: 187 valid server certificates
- Certigna Server Authentication ACME FR CA G1: 99 valid server certificates
- Certigna Server Authentication ACME CA G2: 0 (certificates only for audit purpose)
- Certigna Server Authentication ACME FR CA G2: 0 (certificates only for audit purpose)
The complete list will be included in the full incident report.
Non-compliance with the Baseline Requirements (v2.0.2) which states in section 7.1.2.10.5:
- “The CA MUST include at least one Reserved Certificate Policy Identifier” (requirement clarified by the Ballot SC083v3, Effective date: 24-Feb-2025).
- “This Profile RECOMMENDS that the first PolicyInformation value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see 7.1.6.1)13. Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier.”.
Timeline
All times are UTC.
2025-04-28:
- 16:20: Message received by customer service from chrome-root-program@google.com with the category “Other”, and not “Fraudulent and malicious certificate”.
2025-04-29:
- 15:15: Message qualified by customer service and transferred to compliance team.
- 15:15: Analysis of the alert by compliance team.
- 15:30: Notification to all employees involved in issuing certificates.
- 16:15: Stop issuing certificates under the impacted CAs pending the conclusions.
- 16:00: Identification of all certificates impacted by the potential non-compliance.
- 17:32: Acknowledgement of receipt of message to chrome-root-program@google.com.
2025-04-30:
- 10:59: Request for clarification about potential non-compliance send to chrome-root-program@google.com.
- 12:12: Notification to the Customer impacted of the potential non-compliance to start replacing certificates.
- 12:13: Notification to the Supervisory body (ANSSI) of the potential non-compliance.
- 12:15: Notification to the Assessment body (LSTI) of the potential non-compliance.
Root Cause Analysis
Misinterpretation by our teams of the first requirement mentioning “The CA MUST include at least one Reserved Certificate Policy Identifier”. This requirement, isolated, did not prohibit Multiple Reserved Certificate Policy Identifiers in CA certificates. Indeed, the “Ballot SC083v3: Winter 2024-2025 Cleanup Ballot” provides a correction of this requirement with this new requirement "The CA MUST include exactly one Reserved Certificate Policy Identifier".
Based on Incident Reporting Template v. 2.0
|
||
Updated•12 days ago
|
Assignee: nobody → j.allemandou
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [ca-misissuance]
Were all of the ICAs issued before the effective date of SC083? My understanding is that before SC083 passed, you could have multiple policy OIDs as long as at least one came from the CAB Forum set of policy OIDs.
Hello,
This was our interpretation when these authorities were generated in March 2024, however we remind the TLS Baseline Requirements 2.0.2 mention in section 7.1.2.10.5 « The CA MUST include at least one Reserved Certificate Policy Identifier (see Section 7.1.6.1) associated with the given Subscriber Certificate type (see Section 7.1.2.7.1) directly or transitively issued by this Certificate » but also this second mention « Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier» which is more restrictive.
We have revoked all the concerned CAs and the subscribers certificates on 05/05/2025. We are preparing the full incident report with a timeline of all actions taken by Certigna, which we will publish shortly.
Full Incident Report
Multiple Reserved Certificate Policy Identifiers in CA certificates.
Summary
- CA Owner CCADB unique ID: A000011
- Incident description: Chrome Root Program inform us by mail of a violation of TLS Baseline Requirements. In March 2024, CERTIGNA generates new intermediate CA certificates which include multiple reserved certificate policy identifiers. Indeed, the applicable version of TLS baseline requirements (v2.0.2) states at section 7.1.2.10.5 for the “PolicyIdentifier” field that:
- “The CA MUST include at least one Reserved Certificate Policy Identifier” but also,
- “This Profile RECOMMENDS that the first PolicyInformation value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see 7.1.6.1). Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier.”.
- Timeline summary:
- Non-compliance start date: 2024-03-13
- Non-compliance identified date: 2025-04-29
- Non-compliance end date: 2025-05-05
- Relevant policies: TLS Baseline Requirements v2.0.2
- Source of incident disclosure: Chrome Root Program
Impact
- Total number of certificates: 7 CA certificates (324 server certificates)
- Total number of "remaining valid" certificates: 0 certificate (all certificates are revoked or expired)
- Affected certificate types: OVCP TLS certificates
- Incident heuristic: The following subordinate CAs :
- Certigna Server Authentication CA
- Certigna Server Authentication Auto CA
- Certigna Server Authentication Auto FR CA
- Certigna Server Authentication ACME CA G1
- Certigna Server Authentication ACME FR CA G1
- Certigna Server Authentication ACME CA G2
- Certigna Server Authentication ACME FR CA G2
- Was issuance stopped in response to this incident, and why or why not?: Yes, to verify the veracity of the incident.
- Analysis: N/A – No revocation delays
- Additional considerations: Non-compliance with the Baseline Requirements (v2.0.2) which specified in Section 7.1.2.10.5:
- “The CA MUST include at least one Reserved Certificate Policy Identifier”
- “This Profile RECOMMENDS that the first PolicyInformation value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see 7.1.6.1). Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier.”.
For reminder, the “Ballot SC083v3: Winter 2024-2025 Cleanup Ballot” provides corrections on these requirements with the following addon: fix: #539 Exactly one RCPOID · cabforum/servercert@b0da08e · GitHub (Effective date: 24-Feb-2025).
Timeline
Correction: All times were GMT in the Preliminary Incident Report.
All times are now UTC.
2025-04-28
- 14:20: Message received by customer service from chrome-root-program@google.com with the category “Other”, and not a specific category such as “Fraudulent and malicious certificate”.
2025-04-29:
- 13:15: Message qualified by customer service and transferred to compliance team.
- 13:15: Analysis of the alert by compliance team.
- 13:30: Notification to all employees involved in issuing certificates.
- 14:15: Stop issuing certificates under the impacted CAs pending the conclusions.
- 14:00: Identification of all certificates impacted by the potential non-compliance.
- 15:32: Confirmation of message receipt to chrome-root-program@google.com.
2025-04-30:
- 08:59: Request for clarification about potential non-compliance send to chrome-root-program@google.com.
- 10:12: Notification to the Customer impacted of the potential non-compliance to start replacing certificates.
- 10:13: Notification to the Supervisory body (ANSSI) of the potential non-compliance.
- 10:15: Notification to the Assessment body (LSTI) of the potential non-compliance.
- 16:20: Message from chrome-root-program@google.com with clarifications.
- 17:56: Bug report with Preliminary Incident Report.
2025-05-02:
- 15:06: Revocation of end-entity valid certificates (e.g. certificates for audit purpose) issued by subordinate CAs involved but not used in production:
- Certigna Server Authentication CA (crl: https://crl.certigna.com/CertignaServerAuthenticationCA.crl)
- Certigna Server Authentication Auto CA (crl: https://crl.certigna.com/CertignaServerAuthenticationAutoCA.crl)
- Certigna Server Authentication Auto FR CA (crl: https://crl.certigna.com/CertignaServerAuthenticationAutoFRCA.crl)
- Certigna Server Authentication ACME CA G2 (crl: https://crl.certigna.com/CertignaServerAuthenticationACMECAG2.crl)
- Certigna Server Authentication ACME FR CA G2 (crl: https://crl.certigna.com/CertignaServerAuthenticationACMEFRCAG2.crl)
- 16:55: Revocation of these subordinate CAs and publication of associated CRLs.
- Certigna Server Authentication Root CA (crl: https://crl.certigna.com/CertignaServerAuthenticationRootCA.crl)
- Certigna Root CA (crl: https://crl.certigna.fr/certignarootca.crl)
2025-05-05:
- 14:06: Revocation of end-entity valid certificates issued by last subordinate CAs involved:
- Certigna Server Authentication ACME CA G1 (crl: https://crl.certigna.com/CertignaServerAuthenticationACMECAG1.crl)
- Certigna Server Authentication ACME FR CA G1 (crl: https://crl.certigna.com/CertignaServerAuthenticationACMEFRCAG1.crl)
- 14:17: Revocation of the last subordinate CAs involved and publication of associated CRLs.
- Certigna (crl: https://crl.certigna.fr/certigna.crl)
Related Incidents
N/A
Root Cause Analysis
Contributing Factor #1: Isolated requirement misinterpreted
- Description: Misinterpretation by our teams of the first requirement mentioning “The CA MUST include at least one Reserved Certificate Policy Identifier”. This requirement, isolated, did not prohibit Multiple Reserved Certificate Policy Identifiers in CA certificates. Indeed, the “Ballot SC083v3: Winter 2024-2025 Cleanup Ballot” provides a correction of this requirement with this new requirement "The CA MUST include exactly one Reserved Certificate Policy Identifier".
- Timeline: When defining the “Certification policies” field for integration into the new CA certificate profiles, the additional and more restrictive requirement was not identified, and only the following requirement “The CA MUST include at least one Reserved Certificate Policy Identifier” was taken into consideration. This requirement has been replaced by the “Ballot SC083v3: Winter 2024-2025 Cleanup Ballot”, with a requirement in accordance with the other one, more restrictive.
- Detection: Email received from Chrome Root Program. The correction of this requirement by the ballot SC83 was indeed identified and considered for our new CAs issued in 2025, but this did not highlight the presence of the more restrictive requirement already applicable in 2024.
- Interaction with other factors: N/A
- Root Cause Analysis methodology used: 5-Whys
Lessons Learned
- What went well:
- Customers using ACME were able to initiate the replacement of their certificates so that we could revoke under the delays.
- The effectiveness of our emergency revocation processes for end-entity and CA certificates, during a period affected by a weekend and a French public holiday.
- What didn’t go well:
The email category was handled by the customer service resulting in additional time to transfer it to the compliance team. - Where we got lucky:
The CAs concerned were recent, and some were not used in production. - Additional: N/A
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Awareness of all contribors to the definition and validation of certificate profile | Prevent | Root Cause # 1 | Should limit the occurrence of this type of incident | 2025-05-02 | Complete |
| Creation of the following email subject category: “Report a non-compliance” | Prevent | Root Cause # 1 | New email category subject on the website contact form | 2025-05-16 | Ongoing |
Appendix
Details of affected certificates
The following subordinate CA certificates are impacted:
- https://crt.sh/?id=13864229289 - Certigna Server Authentication CA
- https://crt.sh/?id=13864237051 - Certigna Server Authentication Auto CA:
- https://crt.sh/?id=13864229507 - Certigna Server Authentication Auto FR CA
- https://crt.sh/?id=12579181438 - Certigna Server Authentication ACME CA G1
- https://crt.sh/?id=12579181437 - Certigna Server Authentication ACME FR CA G1
- https://crt.sh/?id=12579181439 - Certigna Server Authentication ACME CA G2
- https://crt.sh/?id=12579181434 - Certigna Server Authentication ACME FR CA G2
Based on Incident Reporting Template v. 2.0
You need to log in
before you can comment on or make changes to this bug.
Description
•