Open Bug 1990274 Opened 4 months ago Updated 3 months ago

SwissSign: recommendation on synchronization of staging and production environments

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)

Preliminary Incident Report

Summary

  • Incident description: The audit report contains a recommendation regarding the improvement of the synchronization between SwissSign’s staging and production environments.

  • Relevant policies: ETSI EN 319 401, REQ-7.7-03

  • Source of incident disclosure: Audit

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000049
  • Incident description: The audit report contains a recommendation regarding the improvement of the synchronization between SwissSign’s staging and production environments.
  • Timeline summary:
    • Non-compliance start date: N/A (audit recommendation and not non-compliance)
    • Non-compliance identified date: N/A (audit recommendation and not non-compliance)
    • Non-compliance end date: N/A (audit recommendation and not non-compliance)
  • Relevant policies: ETSI EN 319 401, REQ-7.7-03
  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
  • Analysis: N/A
  • Additional considerations: SwissSign is in the process of automating synchronization of PKI software configuration and certificate profiles from test to production environments. The automation is based on "Infrastructure as code" and will - in time - replace the audited manual processes.

Timeline

  • 12.09.2025 Audit report containing this recommendation published

Related Incidents

none found

Root Cause Analysis

Contributing Factor #1:

  • Description: Auditors recommend to continue implementation of the automation as it can avoid manual mistakes. SwissSign is committed to use automation in as many areas as possible to strengthen the resilience of the overall CA system.
  • Timeline: N/A
  • Detection: Audit
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement automation of sync from test to production Prevent Root Cause # 1 New process audited 2026-04-30 In progress

Appendix

N/A

We're monitoring this Bugzilla for Community feedback.

We're monitoring this Bugzilla for Community feedback.

Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in before you can comment on or make changes to this bug.