Open Bug 2014590 Opened 1 month ago Updated 20 hours ago

IdenTrust: Unauthorized OCSP responses for cross-signed roots

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: roots, Assigned: roots, NeedInfo)

Details

(Whiteboard: [ca-compliance] [ocsp-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36

Steps to reproduce:

Preliminary Incident Report

Summary

  • Incident Description
    During routine monitoring with SSLMate’s watch, we identified four cross-signed certificates issued by our CA that were flagged for an "unauthorized OCSP response error." Upon investigation, we confirmed that OCSP was not functioning for these four cross-signed certificates because the corresponding ICAs had not been properly included in the OCSP configuration prior to disclosing the certificates to CCADB.

  • Relevant policies:
    RFC 6960 Section 2.3 and BR section 4.9.9

Source of incident disclosure:
CA Owner self-disclosed

Impact

Since the required ICAs were missing from the OCSP configuration, OCSP checks for the four cross-signed certificates returned error responses.

We will provide a full incident report by February 17, 2024

During routine monitoring with SSLMate’s watch, we identified four cross-signed certificates issued by our CA that were flagged for an "unauthorized OCSP response error." Upon investigation, we confirmed that OCSP was not functioning for these four cross-signed certificates because the corresponding ICAs had not been properly included in the OCSP configuration prior to disclosing the certificates to CCADB.

My pardon, but if the report is only made possible because of a third-party tool - is it truly "self-disclosed" as claimed in this 'Preliminary Incident Report'?

Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [ocsp-failure]

(In reply to Dean F. Reed from comment #1)

Thank you for raising this point. To clarify, the identification of the issue was aided by SSLMate’s monitoring tool, but the confirmation, root cause analysis, and subsequent full incident disclosure is to be performed internally by our team. We interpret the term “self-disclosed” as the fact that we voluntarily reported the incident after our own investigation, rather than being notified by an external party. The third-party tool serves as an alerting mechanism, not as the source of the disclosure.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000036
  • Incident description:
    During routine monitoring with SSLMate’s watch, we identified four cross-signed certificates issued by our CA that were flagged for an "unauthorized OCSP response error." Upon investigation, we confirmed that OCSP was not functioning for these four cross-signed certificates because the corresponding ICAs had not been properly included in the OCSP configuration prior to disclosing the certificates to CCADB.
  • Timeline summary:
    • Non-compliance start date: 2026-01-26
    • Non-compliance identified date: 2026-02-02
    • Non-compliance end date: 2026-02-05
  • Relevant policies:
    RFC 6960 Section 2.3 and BR section 4.9.9
  • Source of incident disclosure:
    CA Owner self-disclosed

Impact

  • Total number of certificates: 4
  • Total number of "remaining valid" certificates: 4
  • Affected certificate types: Cross-Signed roots
  • Incident heuristic: See list in appendix
  • Was issuance stopped in response to this incident, and why or why not?: N/A
  • Analysis:
  • Additional considerations:

Timeline - All times are in UTC

  • 2026-01-29 15:49 - Issue the cross-signed certificates
  • 2026-01-29 18:29 - Disclosed the cross-signed certificate in CCADB
  • 2026-02:02 16:30 - Noticed OCSP errors in SSLMate’s watch
  • 2026-02:02 20:30 - Uploaded missing certificates in OCSP DB
  • 2026-02-05 17:30 - Disclosed preliminary Incident
  • 2026-02-17 17:30 - Disclosed full incident report

Related Incidents

Bug Date Description
1985307 2025-08-26 OCSP and CRL traffic not being proxied for 3 Subordinate CAs
1964866 2025-05-06 OCSP service response error
1905446 2024-06-28 Unauthorized OCSP response on a Timestamp certificate

Root Cause Analysis

OCSP was not functioning for four cross signed ICAs because they were omitted from the OCSP database.
Contributing factors:
1.  Configuration gap: Cross signed ICAs were not included in the OCSP responder’s certificate inventory/profile.
2.  Process oversight: The operational checklist for adding new or cross signed ICAs to OCSP did not explicitly cover all cross sign scenarios prior to CCADB disclosure.
3.  Change management timing: CCADB disclosure occurred before the OCSP config update and validation were completed for the cross signed path(s).

Lessons Learned

Disclosure sequencing matters: CCADB publication should follow verifiable OCSP readiness checks for every chain variant.

  • What went well:
    Effective external monitoring and detection, Promopt internal investigation and confirmation and timely remediation.
  • What didn’t go well:
    Incomplete operational readiness checks prior to disclosure
  • Where we got lucky:
  • Additional:

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Disclosed certificates in OCSP DB Correct Root Cause No longer flagged in monitors 2026-02-02 Complete
Add cross-signed certificate type to the OCSP validation checking process in place for other certificates Prevent Root Cause Not flagged in error on in monitors 2026-02-02 Complete

Appendix

The CRLs and OCSP responses generated by these cross-signed roots CAs were temporarily impacted:

We have no further pending actions for this issue. Can this ticket be closed?

IdenTrust,

The process for requesting incident report closure is clearly documented in the CCADB IRGs. You must file a Closure Report, following the template. https://www.ccadb.org/cas/incident-report#closure-report

Flags: needinfo?(roots)

We'll submit a closure report, by end of next week.

Flags: needinfo?(roots)

Report Closure Summary

  • Incident description:
    During routine monitoring with SSLMate’s watch, we identified four cross-signed certificates issued by our CA that were flagged for an "unauthorized OCSP response error." Upon investigation, we confirmed that OCSP was not functioning for these four cross-signed certificates because the corresponding ICAs had not been properly included in the OCSP configuration prior to disclosing the certificates to CCADB.

  • Incident Root Cause(s):
    OCSP was not functioning for four cross signed ICAs because they were omitted from the OCSP database.

    Contributing factors:

    1. Configuration gap: Cross signed ICAs were not included in the OCSP responder’s certificate inventory/profile.
    2. Process oversight: The operational checklist for adding new or cross signed ICAs to OCSP did not explicitly cover all cross sign scenarios prior to CCADB disclosure.
    3. Change management timing: CCADB disclosure occurred before the OCSP config update and validation were completed for the cross signed path(s).

  • Remediation description:
    After OCSP cert was posted in database, correct OCSP responses were restored.

  • Commitment summary:
    Commited action items are now complete:

    Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
    Disclosed certificates in OCSP DB Correct Root Cause Not flagged in error on in monitors 2026-02-02 Complete
    Add cross-signed certificate type to the OCSP validation checking process in place for other certificates Prevent Root Cause Not flagged in error on in monitors 2026-02-02 Complete

All Action Items disclosed in this report have been completed as described, and we request its closure.

Flags: needinfo?(incident-reporting)
You need to log in before you can comment on or make changes to this bug.