Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: kateryna.aleksieieva, Assigned: kateryna.aleksieieva)
Details
(Whiteboard: [ca-compliance] [disclosure-failure] Next update 2026-03-31)
Attachments
(1 file)
|
20.91 KB,
text/plain
|
Details |
Preliminary Incident Report
Summary
-
Incident description:
On 2025-12-18 at 20:09 UTC, Certum received a Certificate Problem Report indicating that there are at least several CRL URLs for valid certificates that are not listed in the CCADB under the field "Full CRL Issued By This CA".The preliminary analysis showed that all Root CAs and SubCAs disclosed in CCADB have URLs in the “Full CRL Issued By This CA” field that point to valid CRLs.
The non-compliance consists in the fact that many of the listed URLs:
- use the HTTPS protocol instead of HTTP, as specified in the certificates;
- specify a different host than the one indicated in the certificates (while still pointing to the correct CRL).
We will publish a full report no later than 2025-12-31.
-
Relevant policies:
CCADB Policy version 2.0 section 6.2: "URLs: MUST match exactly as they appear in the certificates issued by the corresponding CA." -
Source of incident disclosure:
Third party using a Certificate Problem Report
|
||
Updated•1 month ago
|
|
Assignee | |
Comment 1•1 month ago
|
||
Full Incident Report
Summary
- CA Owner CCADB unique ID: A000061
- Incident description: On 2025-12-18 at 20:09 UTC, Certum received a Certificate Problem Report indicating that for multiple certificates disclosed in CCADB, the CRL URL(s) present in the certificates did not exactly match the values published in CCADB under the field "Full CRL Issued By This CA". The Certificate Problem Report listed several example CRL URLs; the subsequent investigation expanded the scope to all affected CCADB records. During the investigation, Certum confirmed that the mismatches were caused by the use of HTTPS instead of HTTP in the CRL URLs disclosed in CCADB, and, for some SubCA records, by the omission of dedicated CRL subdomains. All listed URLs resolved to the intended CRLs corresponding to the respective certificates.
- Timeline summary:
- Non-compliance start date: 2025-07-15
- Non-compliance identified date: 2025-12-19 07:00 UTC
- Non-compliance end date: 2025-12-19 12:00 UTC
- Relevant policies:
- CCADB Policy v2.0, section 6.2. "URLs: MUST match exactly as they appear in the certificates issued by the corresponding CA."
- Apple Root Program policy, section 2.1.2 (Full CRLs)
Source of incident disclosure: Third party via a Certificate Problem Report.
Impact
- Total number of certificates: Not applicable.
- Total number of "remaining valid" certificates: Not applicable.
- Affected certificate types: Not applicable.
- Incident heuristic: (3) the full corpus of affected URLs disclosed in the Appendix.
- Was issuance stopped in response to this incident, and why or why not?: No. Certificate issuance was not stopped because the incident did not affect certificate issuance, revocation, or validation behavior. All CRLs were continuously reachable and retrievable at the disclosed URLs for the affected certificates throughout the incident period.
- Analysis: Non-compliance affected 107 CRL URL disclosures associated with CA records in CCADB. There was no security impact and no risk to relying parties. At all times, the CRL URLs published in CCADB resolved to the correct CRLs for the corresponding certificates. The non-compliance was limited to a string-level mismatch between CCADB disclosures and certificate contents (protocol and hostname differences), rather than incorrect or unavailable revocation information.
- Additional considerations: The issue could lead to third-party compliance checks flagging discrepancies between CCADB entries and certificate profiles. However, there was no scenario in which an incorrect CRL could be retrieved for any affected certificate, and revocation status checking was not degraded.
Timeline
All times are in UTC.
- 2022-10-01 - The requirement for CA providers to populate the CCADB field "Full CRL Issued By This CA" on Root and Intermediate Certificate records became effective under CCADB and the Apple Root Program.
- 2025-07-15 - CCADB Policy v2.0 came into effect, clarifying in Section 6.2 that URLs disclosed in CCADB must exactly match the CRL Distribution Point URLs encoded in the corresponding certificates.
- 2025-12-18 20:09 - Certum received a Certificate Problem Report.
- 2025-12-19 07:00 - Certum became aware of the incident and initiated investigation and verification activities.
- 2025-12-19 12:00 - Certum fixed CRL records in CCADB.
- 2025-12-19 13:32 - Preliminary incident report published on Bugzilla.
- 2025-12-31 - Full incident report published on Bugzilla.
Related Incidents
Between 18 and 21 December 2025, a series of closely related incidents was disclosed by a third-party researcher, impacting at least nine CA operators and consistently involving discrepancies between CRLDP URLs disclosed in CCADB and those present in issued certificates.
| Bug | Date | Description |
|---|---|---|
| 2002402 | 2025-11-25 | GoDaddy: Missing R1 Intermediate Full CRL URLs in CCADB |
| 2007219 | 2025-12-19 | DigiCert: Some certificates issued with CRLDPs that don’t exactly match CCADB disclosures |
| 2007066 | 2025-12-19 | Disig: Missing CA Disig R2I2 Certification Service Full CRL URLs in CCADB |
| 2007089 | 2025-12-19 | SHECA: subordinate certificates have not published the complete CRL address in CCADB |
| 2007072 | 2025-12-19 | TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB |
| 2007098 | 2025-12-19 | GlobalSign: misalignment of CRL URL in CCADB with issued certificates |
| 2007116 | 2025-12-20 | D-Trust: CRL URL Disclosure |
| 2007216 | 2025-12-20 | GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates |
| 2007238 | 2025-12-20 | Certigna: CRL URL Disclosure |
| 2007297 | 2025-12-21 | eMudhra emSign PKI Services: CRL URL Mismatch Between CCADB Disclosure and Issued Certificates |
Root Cause Analysis
CRL URLs disclosed in CCADB were populated and updated using established URL patterns that had been historically used and were known to correctly resolve to the intended CRLs. When CCADB Policy v2.0 introduced, effective 2025-07-15, a clarified requirement that CRL URLs disclosed in CCADB must exactly match the CRL Distribution Point values encoded in certificates, this clarification was not reflected in the practices used to maintain CCADB records. As a result, previously applied CRL URL patterns continued to be used for both existing CCADB entries and newly added or updated records until the issue was identified through third-party reporting.
Contributing Factor 1: Multiple valid CRL URL resolutions masking underlying differences
- Description: Because CRL URLs disclosed in CCADB consistently resolved to the correct CRLs (including via redirections), both the URLs disclosed in CCADB and the CRL Distribution Point values encoded in certificates functioned correctly. This included differences such as HTTP vs HTTPS and the use of dedicated CRL subdomains for some SubCAs.
- Timeline: Present throughout the affected period.
- Detection: Detected during incident investigation.
- Interaction with other factors: Not applicable.
- Root Cause Analysis methodology used: Not applicable.
Contributing Factor 2: Lack of string-level validation with certificate content
- Description: CCADB updates were performed using manual procedures focused on correctness and availability of CRL information, without a specific check for exact string-level matching between CCADB entries and certificate contents. Differences limited to HTTP vs HTTPS and hostname were not apparent during routine checks, as all disclosed URLs remained reachable and returned the correct CRLs.
- Timeline: Present throughout the affected period.
- Detection: Detected during incident investigation.
- Interaction with other factors: Not applicable.
- Root Cause Analysis methodology used: Not applicable.
Lessons Learned
-
What went well: The issue was identified through third-party reporting and remediated shortly after it was reported.
-
What didn’t go well: Existing procedures did not ensure systematic validation of CCADB disclosures against certificate contents, allowing discrepancies to persist undetected.
-
Where we got lucky: The discrepancies did not impact CRL availability or correctness, and no relying party was exposed to incorrect revocation information.
-
Additional: Not applicable.
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Update the internal procedure to require copying the "Full CRL Issued By This CA" value directly from the CRL Distribution Point in the certificate and to include a mandatory verification step confirming an exact match between the CCADB entry and the certificate. | Prevent / Detect | Contributing Factor #1, #2 | Updated procedure and checklist published and applied for all new and modified CCADB CA records; procedure explicitly requires verbatim use and verification of certificate-encoded CRL URLs. | 2026-01-15 | Ongoing |
| Perform a one-time review of existing CCADB CA records to verify that CRL URLs exactly match the CRL Distribution Point values in the corresponding certificates. | Mitigate | - | Review completed and CCADB records updated where discrepancies were identified. | 2025-12-19 | Complete |
| Develop a consistency check to verify that selected data from issued certificate matches the corresponding values recorded in the associated CCADB CA record, to help detect discrepancies like those identified in this incident. | Prevent / Detect | Contributing Factor #2 | Consistency check available and used to support verification of CCADB records against issued certificates; identified discrepancies are reviewed. | 2026-03-31 | Planned |
Appendix
The attachment ccadb_crl_url_corrections.txt contains the full list of affected CCADB records and the corresponding CRL URL values before and after remediation. Each entry corresponds to one CRL URL.
|
|
Assignee | |
Comment 2•1 month ago
|
||
|
|
Assignee | |
Comment 3•1 month ago
|
||
Certum has no updates at this time. We kindly request setting the “Next update” field to 2026-01-15, which is the due date of the relevant action item.
|
|
||
Updated•1 month ago
|
|
|
Assignee | |
Comment 4•25 days ago
|
||
This comment provides a status update for the previously declared action items.
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Update the internal procedure to require copying the "Full CRL Issued By This CA" value directly from the CRL Distribution Point in the certificate and to include a mandatory verification step confirming an exact match between the CCADB entry and the certificate. | Prevent / Detect | Contributing Factor #1, #2 | Updated procedure and checklist published and applied for all new and modified CCADB CA records; procedure explicitly requires verbatim use and verification of certificate-encoded CRL URLs. | 2026-01-15 | Complete |
| Perform a one-time review of existing CCADB CA records to verify that CRL URLs exactly match the CRL Distribution Point values in the corresponding certificates. | Mitigate | - | Review completed and CCADB records updated where discrepancies were identified. | 2025-12-19 | Complete |
| Develop a consistency check to verify that selected data from issued certificate matches the corresponding values recorded in the associated CCADB CA record, to help detect discrepancies like those identified in this incident. | Prevent / Detect | Contributing Factor #2 | Consistency check available and used to support verification of CCADB records against issued certificates; identified discrepancies are reviewed. | 2026-03-31 | Ongoing |
We kindly request setting the “Next update” field to 2026-03-31, which is the due date of the last action item.
|
|
||
Updated•24 days ago
|
Description
•