2016585 - IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs

Status: UNCONFIRMED

(CA Program :: CA Certificate Compliance, defect)

Description

[IdenTrust]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36

Steps to reproduce:

Preliminary Incident Report

Summary

• Incident description:
  During a review of test automation certificates, we identified that several certificates failed browser validation due to missing Certificate Transparency (CT) log entries. These certificates originated from a newly cross-signed TLS CA hierarchy. At this time, no customer certificates have been issued from these cross-signed hierarchies. The issue was limited exclusively to test automation certificates.
  The affected certificates have been revoked, and new test automation certificates have been issued with proper CT log submissions.

• Relevant policies:

• CA/B Forum TLS Baseline Requirements - Section 3.2.2.8 - Certificate Transparency Publicly trusted TLS certificates must be submitted to one or more qualified CT logs in accordance with applicable browser root program requirements.

• Chrome Root program v1.8 - 1.3.4.2 - Logging Final Certificates CA Owners with CA certificates that validate to a certificate included in the Chrome Root Store SHOULD ensure that all TLS server authentication certificates (i.e., "final certificates") issued by such CAs are logged to at least one (1) CT log recognized by Chrome as Usable or Qualified within 24 hours of issuance.

• IdenTrust TLS CP/CPS - 9.4.3.1 - Publication of Server Certificates IdenTrust complies with Certificate Transparency (CT) publishing new, renewed, and replaced TrustID server Certificates (DV, OV, and EV) into at least 3 public Certificate Transparency logs created for this purpose.

• Source of incident disclosure:

CA Owner self-disclosed.

A full incident report will be disclosed by February 26, 2026.