Closed Bug 907347 Opened 11 years ago Closed 7 years ago

Revoked Intermediate Cert info from GlobalSign

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Unassigned)

References

Details

As per the recent CA Communication 
(https://wiki.mozilla.org/CA:Communications#July_30.2C_2013)
GlobalSign sent the following information about their revoked intermediate certificates.

The oldest 'Partners' CA https://secure.globalsign.net/cacert/Partners.crt
is due to expire on the 27th Jan 2014. We revoked 4 certs in July 2012
as a clean up exercise. The CRL for this service is
http://crl.globalsign.net/Partners.crl. 

Serial Number: 04000000000109F8623BEB Revocation Date: Jul  5 18:00:00
2012 GMT Expiry Date was 26th Jan 2014
Serial Number: 0400000000011E1C35BF07 Revocation Date: Jul  5 18:00:00
2012 GMT Expiry Date was 1st Nov 2012
Serial Number: 040000000001085884A7DB Revocation Date: Jul  5 18:00:00
2012 GMT Expiry Date was 27th Jan 2014
Serial Number: 0400000000011764DBF017 Revocation Date: Jul  5 18:00:00
2012 GMT Expiry Date was 26th Jan 2014

A newer RootSign Partners CA
https://secure.globalsign.net/cacert/RootSignPartners-R1.crt 
expires in 2028 (Originally also 2014
https://secure.globalsign.net/cacert/RootSignPartners.crt but boosted to
2028 in 2008) and therefore we still have partners using.  We have revoked
in the past and we will continue to revoke in the future certificates
owned by customers who have moved across to the latest Name Constraints
based service we created in 2012.  The CRL for this service is
http://crl.globalsign.net/RootSignPartners.crl.  

Serial Number: 040000000001094550F4DA Revocation Date: Jan 3 06:00:00 2013
GMT Expiry Date was 7th Feb 2013
Serial Number: 04000000000100FA6E561D Revocation Date: Dec 8 06:00:00 2011
GMT Expiry Date was 4th Dec 2013
Serial Number: 040000000001047628205B Revocation Date: Dec 8 06:00:00 2011
GMT Expiry Date was 13th Jun 2012
Serial Number: 0400000000011E4487952A Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 17th Dec 2018
Serial Number: 04000000000100998F8DF4 Revocation Date: Jul 5 18:00:00 2012
GMT Expiry Date was 3rd Dec 2013
Serial Number: 040000000000F97FC62329 Revocation Date: Dec 8 06:00:00 2011
GMT Expiry Date was 16th Dec 2013
Serial Number: 04000000000118C1B41A6C Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 18th Mar 2018
Serial Number: 04000000000118C1A37ED6 Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 18th Mar 2018
Serial Number: 04000000000127FB9F420F Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 25th Nov 2019
Serial Number: 0400000000012945C3AB1C Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 17th Jun 2020
Serial Number: 0400000000011C944A3290 Revocation Date: Jul 5 18:00:00 2012
GMT Expiry Date was 24th Sep 2018
Serial Number: 0400000000012596C45382 Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 16th Dec 2019
Serial Number: 0400000000011C944A3669 Revocation Date: Jul 8 06:00:00 2013
GMT Expiry Date was 24th Sep 2018
Serial Number: 04000000000103F037E445 Revocation Date: Dec 8 06:00:00 2011
GMT Expiry Date was 18th May 2012

The final service is the newest and it's called Trusted Root
http://secure.globalsign.com/cacert/trustrootg2.crt. It has a CRL
http://crl.globalsign.com/gs/trustrootg2.crl but has no revoked
certificates. 

GlobalSign has not revoked any issuing certificates from our own
infrastructure.
Apologies for updating this bug later than planned.  GlobalSign revoked the following certificates on the 4th March from the Trusted Root CA.  ie http://secure.globalsign.com/cacert/trustrootg2.crt. It has a CRL
http://crl.globalsign.com/gs/trustrootg2.crl

Serial Number: ‎39804a831107a56ffc5c6006025bc9c8c0 Revocation Date: Mar 4 01:00:00 2014
GMT Expiry Date was 11th Oct 2016
Serial Number: ‎7bf7c87e0d838f6b64608595bb6afcd827 Revocation Date: Mar 4 01:00:00 2014
GMT Expiry Date was 19th ‎March ‎2018
Serial Number: ‎61124d7cca1cd76229996f849e9bf73dda Revocation Date: Mar 4 01:00:00 2014
GMT Expiry Date was 30th April ‎2018
Serial Number: ‎515f5a68378d44db50b978d1624e129218 Revocation Date: Mar 4 01:00:00 2014
GMT Expiry Date was 18th April ‎2018

GlobalSign has also started to issue SHA256 based certificates from the Trusted Root SHA256 CA created at the same time as the SHA1 CA in April 2014.  The CA is http://secure.globalsign.com/cacert/trustrootsha2g2.crt  It has a CRL
http://crl.globalsign.com/gs/trustrootsha2g2.crl but has no revoked
certificates.

Both Trusted Root and Trusted Root SHA256 implement non critical Name Constraints on all CAs they issue.   Remaining RootSign Partner CAs are all in revocation mode only and will be revoked periodically over the next 18 months as certificates they issued naturally expire.
GlobalSign has been working hard to move many customers over to either a disclosed and audited model or technical constraints.  As such we have performed a revocation ceremony in May (earlier than our usual July/Jan ceremonies to aid compliance to Mozilla's May 30th deadlines) i.e. to clear some of the remaining CA's that have moved from CRL only mode to End of Life.  

http://crl.globalsign.net/RootSignPartners.crl has been updated.

Serial Number: ‎0400000000011e44878f3f Revocation Date: May 14th 07:00:00 2014
GMT Expiry Date was 17th Dec 2018
Serial Number: ‎04000000000127fb9f45d8 Revocation Date: May 14th 07:00:00 2014
GMT Expiry Date was 14th April 2020
Serial Number: ‎0400000000012ccffbaa39 Revocation Date: May 14th 07:00:00 2014
GMT Expiry Date was 10th Dec 2020
Serial Number: ‎‎04000000000132b4bbb768 Revocation Date: May 14th 07:00:00 2014
GMT Expiry Date was 29th Sept 2021

The next scheduled revocation ceremony to update this bug will be September 2014
Blocks: OneCRL
We shall continue to present revocation information here as it's a useful repository for other root programs.   GlobalSign has performed the following CA based revocations in August and September.

http://crl.globalsign.com/gs/trustrootg2.crl has been updated. 
Serial Number: ‎00b0f35c09213d3648378f2e48375c5ed9 Revocation Date: 3rd September 2014 01:00:00 2014
GMT Expiry Date was 30th April 2018
Serial Number: ‎‎17b3c08f0da4d1d4d7e5eb1c3e7c95381a Revocation Date: 3rd September 2014 01:00:00 2014
GMT Expiry Date was 28th November 2018
Serial Number: ‎‎514dc03f548cc66ca1045abb31115999fd Revocation Date: 3rd September 2014 01:00:00 2014
GMT Expiry Date was 13th October 2019

http://crl.globalsign.net/RootSignPartners.crl has been updated. 
Serial Number: ‎0400000000012507408e29 Revocation Date: 3rd September 2014 01:00:00 2014
GMT Expiry Date was 18th Nov 2019
Serial Number: ‎‎‎040000000001331bc2f5b9 Revocation Date: 3rd September 2014 01:00:00 2014
GMT Expiry Date was 19th October 2021

http://crl.globalsign.net/PrimObject.crl has been updated to close down two operational CAs that have ceased to issue certificates.
Serial Number: ‎‎‎‎0400000000011e44a5ecbe Revocation Date: 26th August 2014 07:00:00 2014
GMT Expiry Date was 27 January 2017
Serial Number: ‎‎‎‎0400000000011e44a5ecbe Revocation Date: 26th August 2014 07:00:00 2014
GMT Expiry Date was 27 January 2017
http://crl.globalsign.net/RootSignPartners.crl has been updated. 
Serial Number: ‎‎‎‎040000000001281fce1aa2 Revocation Date: 4th January ‎06:00:00 2015 GMT Expiry Date was 21th April ‎‎2020
Blocks: onecrl-meta
No longer blocks: OneCRL
Depends on: 1155145
Over the last 2 quarters GlobalSign has been doing some administration work on our subordinate CAs.  These should have been added in November 2014, but the update to this bug was missed.  

The revocations performed in November, as well as adding to the ones list previously, focused on revoking CA's by the roots (not previously done) which had been deprecated for some time (in terms of the CA's that we offer to customers in PKCS#7 chains when subscribers purchase certificates) and decommissioning of older CAs which supported technology such as SGC.   None of these were 'critical', however as Mozilla is now actively including revoked CA's (via https://bugzilla.mozilla.org/show_bug.cgi?id=1155145) then here are the additional CRLs which need to be included. 

http://crl.globalsign.net/root.crl contains 4 entries.
Serial Number: ‎0400000000011e44a5e404 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 27 January 2022
Serial Number: ‎‎0400000000012945c3a80f Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 17 June 2020
Serial Number: ‎‎0400000000012019c18d68 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 27 January 2017
Serial Number: ‎‎0400000000012c5e7f1a88 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 28 January 2028

http://crl.globalsign.net/root-r2.crl contains 4 entries.
Serial Number: ‎‎040000000001220d3c0f75 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 15 December 2021
Serial Number: ‎‎‎040000000001220d3c14c5 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 15 December 2021
Serial Number: ‎‎‎040000000001100b8ca11b Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 15 December 2021
Serial Number: ‎‎‎04000000000127fbf76700 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 15 December 2021

http://crl.globalsign.net/root-r3.crl contains 3 entries.
Serial Number: ‎‎‎0400000000013189c646ec Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 2 August 2022
Serial Number: ‎04000000000125071040dd Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 18 March 2019
Serial Number: ‎‎‎‎04000000000125071044d5 Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 18 March 2019

http://crl.globalsign.com/gs/trustrootg2.crl was also updated with 5 entries. 
Serial Number: ‎6c03ab29232c980d0c2c9c80279051b143 Revocation Date: Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 16 July 2018
Serial Number: ‎0c093d872f038474a8f9a41eb6f3c1fdf6 Revocation Date: Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 18 April 2018
Serial Number: ‎‎3b64bdf65554c44acb4a4e7a1af591bfe1 Revocation Date: Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 28 November 2018
Serial Number: ‎‎17b3c08f0da4d1d4d7e5eb1c3e7c95381a Revocation Date: Revocation Date: 25th November 2014 01:00:00
GMT Expiry Datewas 28 November 2018
Serial Number: ‎‎32ad0fea8d371439340766e727e9983c6a Revocation Date: Revocation Date: 25th November 2014 01:00:00
GMT Expiry Date was 13 December 2017
http://crl.globalsign.net/RootSignPartners.crl has been updated with
Serial Number: 0400000000011e4487922d Revocation Date: 4th July ‎06:00:00 2015 GMT Expiry Date was 17th ‎December ‎2018

This revocation is not compromises, this is to ensure the hierarchy remains clean as we've closed down old products which no longer issue.
A final long life CRL of http://crl.globalsign.net/RootSignPartners.crl has been updated with the 3 below additional revocations,

serial number: 04000000000116aa006682 revocation date: Mon Jan 04 06:00:00 GMT 2016 Expiry Date was 5th December 2017
serial number: 04000000000133a777674b revocation date: Mon Jan 04 06:00:00 GMT 2016 Expiry Date was 15th November 2016
serial number: 0400000000012c5e7f1d76 revocation date: Mon Jan 04 06:00:00 GMT 2016 Expiry Date was 18th November 2020

These revocations are not compromises, thy are to ensure the hierarchy remains clean as we've closed down old products which no longer issue.
After 4th Jan 2016, there will be no active CAs running under RootSignPartners CA. To mitigate potential risks, we revoked RootSignPartners CA on 7th Jan 2016 from its issuer Root R1. So now  http://crl.globalsign.net/root.crl contains 1 more entry (in total 5 entries now),

Serial Number: ‎040000000001154b5ac5a7 Revocation Date: 7th January 2016 00:00:00 GMT Expiry Date was  28th ‎January ‎2028 


As such, the following 3 non-expired but deprecated certificates are also effectively revoked,

Serial Number: 040000000001163e9ea34b Effective Revocation Date: 7th January 2016 00:00:00 GMT Expiry Date was  06th ‎August ‎2022
Serial Number: ‎‎04000000000127fb9f4962 Effective Revocation Date: 7th January 2016 00:00:00 GMT Expiry Date was  14th ‎April ‎2020
Serial Number: ‎040000000001325855d4a2 Effective Revocation Date: 7th January 2016 00:00:00 GMT Expiry Date was  27th ‎September ‎2021

All the above (effective) revocations are not compromises, they are to ensure the hierarchy remains clean as we've closed down old products which no longer issue.
http://crl.globalsign.com/gs/trustrootg2.crl was also updated with 1 entries,
Serial Number: 195284f98010af6326bb38bc514d056df8 
Revocation Date: Wednesday, ‎May ‎18, ‎2016 00:00:00 AM GMT 
Expiry Date was 28 May 2019

This revocation is not compromises, it is to ensure the hierarchy remains clean as we've closed down old products which no longer issue.
All of the non-expired revoked intermediate certificate listed in the Description have been added to OneCRL.
I will check back on the remaining non-expired revoked intermediate certificates listed in this bug when we have finished adding all of the revoked intermediate certificates in Salesforce to OneCRL.
(In reply to Steve Roylance from comment #1)
> Apologies for updating this bug later than planned.  GlobalSign revoked the
> following certificates on the 4th March from the Trusted Root CA.  ie
> http://secure.globalsign.com/cacert/trustrootg2.crt. It has a CRL
> http://crl.globalsign.com/gs/trustrootg2.crl
> 
> Serial Number: ‎39804a831107a56ffc5c6006025bc9c8c0 Revocation Date: Mar 4
> 01:00:00 2014

Added to OneCRL

> Serial Number: ‎7bf7c87e0d838f6b64608595bb6afcd827 Revocation Date: Mar 4
> 01:00:00 2014

Not found in CCADB.

> Serial Number: ‎61124d7cca1cd76229996f849e9bf73dda Revocation Date: Mar 4
> 01:00:00 2014

Not found in CCADB.


> Serial Number: ‎515f5a68378d44db50b978d1624e129218 Revocation Date: Mar 4
> 01:00:00 2014

Not found in CCADB.
(In reply to Kathleen Wilson from comment #12)
> (In reply to Steve Roylance from comment #1)
> > Apologies for updating this bug later than planned.  GlobalSign revoked the
> > following certificates on the 4th March from the Trusted Root CA.  ie
> > http://secure.globalsign.com/cacert/trustrootg2.crt. It has a CRL
> > http://crl.globalsign.com/gs/trustrootg2.crl
> > 
> > Serial Number: ‎39804a831107a56ffc5c6006025bc9c8c0 Revocation Date: Mar 4
> > 01:00:00 2014
> 
> Added to OneCRL
> 
> > Serial Number: ‎7bf7c87e0d838f6b64608595bb6afcd827 Revocation Date: Mar 4
> > 01:00:00 2014
> 
> Not found in CCADB.

This one has EKUs and NCs, considered as technically constrained, so it is not disclosed in Salesforce. Below is its pem,
-----BEGIN CERTIFICATE-----
MIIGljCCBX6gAwIBAgIRe/fIfg2Dj2tkYIWVu2r82CcwDQYJKoZIhvcNAQEFBQAw
XDELMAkGA1UEBhMCQkUxFTATBgNVBAsTDFRydXN0ZWQgUm9vdDEZMBcGA1UEChMQ
R2xvYmFsU2lnbiBudi1zYTEbMBkGA1UEAxMSVHJ1c3RlZCBSb290IENBIEcyMB4X
DTEzMDMxOTAwMDAwMFoXDTE4MDMxOTAwMDAwMFowfTELMAkGA1UEBhMCVVMxGTAX
BgNVBAoTEEFUVCBTZXJ2aWNlcyBJbmMxGzAZBgNVBAsTEkFUVCBXaS1GaSBTZXJ2
aWNlczE2MDQGA1UEAxMtQVRUIFdpLUZpIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkz0T
VUrWsop/D05aA7XEWifAcN70J97EPYiMGB81Lk3/LeOFWXQwYLBVqFiSETezQco+
D+72dYZCx2lGIA1X9/A/D3Xo1DdQs6bPLKFstQQ6o0E/tEh1RUoyd0fzvBQ9pVHh
kOjvx94kZ3+0dlJx8lERO9NMvos6ybmlb17JVy021/mCv+zr7MjBzVi66YcyvtDX
JU0AqO/lcNLXSe3y85gXZGeqJNNkHG4RwzB3DWoEcP+USGWoglnh3jCYujcbhAw1
tAPtWsNP8D4LpHJfex7nkssVIA6D0q+EYhiWFI85nRqMGfaSRab1semGd3ULyyNG
rXC+tzOCf8casNl4eQIDAQABo4IDMDCCAywwDgYDVR0PAQH/BAQDAgEGMIHfBgNV
HSAEgdcwgdQwQQYJKwYBBAGgMgE8MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMIGOBgsrBgEEAaNIg30BATB/MC8G
CCsGAQUFBwIBFiNodHRwOi8vY3JsLnBraS53YXlwb3J0Lm5ldC9jcHMuaHRtbDBM
BggrBgEFBQcCAjBADD5Db3B5cmlnaHQgKGMpIDIwMTEtMjAxMyBBVFQgV2ktRmkg
U2VydmljZXMgQWxsIFJpZ2h0cyBSZXNlcnZlZDASBgNVHRMBAf8ECDAGAQH/AgEB
MIH0BgNVHR4EgewwgemggbQwDYILd2F5cG9ydC5uZXQwDYILYXR0d2lmaS5jb20w
EIIOc3VwZXJjbGljay5uZXQwEIIOc3VwZXJjbGljay5jb20wDYELd2F5cG9ydC5u
ZXQwDYELYXR0d2lmaS5jb20wEIEOc3VwZXJjbGljay5uZXQwEIEOc3VwZXJjbGlj
ay5jb20wLqQsMCoxCzAJBgNVBAYTAlVTMRswGQYDVQQKExJBVFQgV2ktRmkgU2Vy
dmljZXOhMDAKhwgAAAAAAAAAADAihyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAADAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMJ
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Mv
dHJ1c3Ryb290ZzIuY3JsMIGEBggrBgEFBQcBAQR4MHYwMwYIKwYBBQUHMAGGJ2h0
dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS90cnVzdHJvb3RnMjA/BggrBgEFBQcw
AoYzaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvdHJ1c3Ryb290
ZzIuY3J0MB0GA1UdDgQWBBTPSQPfu4RwQK2N9aJ7NUYFRR6u5zAfBgNVHSMEGDAW
gBQU9uWLMbZFgEpMbfzCh4nKNsOQYjANBgkqhkiG9w0BAQUFAAOCAQEAo+tBgmdj
7JurkQ9FDgVbdwujJvQBi0ZJaxfv2Ml1X6Nc67cA8MJNybWlo1c1i79uewAR9/5o
jNgF/DRRUY5IgI/gZbvVh5zo6EAJ810cwYcax2XtMUH8txrh4q5tkQGREv/FWH/X
aIutE3E2ZS9j9X3WOl3Sl/pVv17jf7u4P/7281LHo7mb7WNkUjUxdl24oLTlGsRZ
+74MyNVfWiiT6B2U/DbDjiz1/35J5tMdMrrpr3rCPgmZVLP9QW2y3n6w2Me0DPLm
zn0qFDGyf1FwE8mH4TBJfyTZE9dZik4Elr3LOiMe4beSphIm71/JYHFYOHgUeB2h
W1tbdVLT+jy/2Q==
-----END CERTIFICATE-----

> 
> > Serial Number: ‎61124d7cca1cd76229996f849e9bf73dda Revocation Date: Mar 4
> > 01:00:00 2014
> 
> Not found in CCADB.

This one has EKUs and NCs, considered as technically constrained, so it is not disclosed in Salesforce. Below is its pem,
-----BEGIN CERTIFICATE-----
MIIIvTCCB6WgAwIBAgIRYRJNfMoc12IpmW+Enpv3PdowDQYJKoZIhvcNAQELBQAw
XDELMAkGA1UEBhMCQkUxFTATBgNVBAsTDFRydXN0ZWQgUm9vdDEZMBcGA1UEChMQ
R2xvYmFsU2lnbiBudi1zYTEbMBkGA1UEAxMSVHJ1c3RlZCBSb290IENBIEcyMB4X
DTEzMDQzMDAwMDAwMFoXDTE4MDQzMDAwMDAwMFowYDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgTB0Zsb3JpZGExETAPBgNVBAoTCFFwYXkgSW5jMSwwKgYDVQQDEyNRcGF5
IEluYyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAIjXI4zU8C+HEnUokXudqZfoRyEoPdQ02ptrcoF1jSQS
mC/heYnXNy7MCewVCut+/DEVZ+Zlzrgn/YIJGKnvZZQvnxdtFiHyK/aUrCsk5sgh
m53MQCkJzQnmN154jh73nlQIf5ea0mS3Bqxa+mf1Y7WWFJtpYhEu8RqZWluhOO4e
OqO5zYkZCqBm221wMPxzDsaRx/lhhUbNJKzm5AoUFlXOpufZ+L5bv6nGXkr5fhZa
KciEHIHsvhHtS9qIig83+pj9fU7yrF7oFup0g6gnbbpRzf3BNVYlo4QWD3ug7beG
I1pSKXhcCZjy/Nv3NiWC/hkDzzwWWQtO73EV6eBgwQMCAwEAAaOCBXQwggVwMA4G
A1UdDwEB/wQEAwIBBjCBzQYDVR0gBIHFMIHCMEIGCisGAQQBoDIBPAEwNDAyBggr
BgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8w
fAYMKwYBBAGCwXmDfQEBMGwwKwYIKwYBBQUHAgEWH2h0dHA6Ly9wa2kucXBheTEy
My5jb20vY3BzLmh0bWwwPQYIKwYBBQUHAgIwMQwvQ29weXJpZ2h0IChjKSAyMDEz
IFFwYXkgSW5jIEFsbCBSaWdodHMgUmVzZXJ2ZWQwEgYDVR0TAQH/BAgwBgEB/wIB
ATCCA0kGA1UdHgSCA0AwggM8oIIDBjANggtxcGF5MTIzLmNvbTANggtxcGF5bmV0
LmNvbTANggtxcGF5MTIzLmJpejAPgg1teXN0YXIxMjMuY29tMAyCCnFwYXliaS5j
b20wEIIOcXBheXJlcG9ydC5jb20wE4IRcXBheXJlcG9ydGluZy5jb20wDYILcXBh
eWNzZS5jb20wD4INY3NlcmVwb3J0LmNvbTATghFtaWVzdHJlbGxhMTIzLmNvbTAT
ghFtaWVzdHJlbGxhMTIzLm5ldDAVghNzaW5saW1pdGVtZXhpY28uY29tMBWCE3Bv
bGFuZHVubGltaXRlZC5jb20wDoEMLnFwYXkxMjMuY29tMA2BC3FwYXkxMjMuY29t
MA6BDC5xcGF5bmV0LmNvbTANgQtxcGF5bmV0LmNvbTAOgQwucXBheTEyMy5iaXow
DYELcXBheTEyMy5iaXowEIEOLm15c3RhcjEyMy5jb20wD4ENbXlzdGFyMTIzLmNv
bTANgQsucXBheWJpLmNvbTAMgQpxcGF5YmkuY29tMBGBDy5xcGF5cmVwb3J0LmNv
bTAQgQ5xcGF5cmVwb3J0LmNvbTAUgRIucXBheXJlcG9ydGluZy5jb20wE4ERcXBh
eXJlcG9ydGluZy5jb20wDoEMLnFwYXljc2UuY29tMA2BC3FwYXljc2UuY29tMBCB
Di5jc2VyZXBvcnQuY29tMA+BDWNzZXJlcG9ydC5jb20wFIESLm1pZXN0cmVsbGEx
MjMuY29tMBOBEW1pZXN0cmVsbGExMjMuY29tMBSBEi5taWVzdHJlbGxhMTIzLm5l
dDATgRFtaWVzdHJlbGxhMTIzLm5ldDAWgRQuc2lubGltaXRlbWV4aWNvLmNvbTAV
gRNzaW5saW1pdGVtZXhpY28uY29tMBaBFC5wb2xhbmR1bmxpbWl0ZWQuY29tMBWB
E3BvbGFuZHVubGltaXRlZC5jb20wNqQ0MDIxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
EwdGbG9yaWRhMREwDwYDVQQKEwhRcGF5IEluY6EwMAqHCAAAAAAAAAAAMCKHIAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCcGA1UdJQQgMB4GCCsGAQUF
BwMBBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDov
L2NybC5nbG9iYWxzaWduLmNvbS9ncy90cnVzdHJvb3RnMi5jcmwwgYQGCCsGAQUF
BwEBBHgwdjAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29t
L3RydXN0cm9vdGcyMD8GCCsGAQUFBzAChjNodHRwOi8vc2VjdXJlLmdsb2JhbHNp
Z24uY29tL2NhY2VydC90cnVzdHJvb3RnMi5jcnQwHQYDVR0OBBYEFJ43CHCoezjR
TkNP/TfwuEVPDL9bMB8GA1UdIwQYMBaAFBT25YsxtkWASkxt/MKHico2w5BiMA0G
CSqGSIb3DQEBCwUAA4IBAQCKMkM+/21vaDolM+9KHgaaovhe/5ZU/dXU77KYDU+w
+azktNRgL/gaujtFnOVtNhbMUlM8gBCq6pXU6Qq4CcrS+UWnELMGvXiwzbKM8Y7y
LtswUyTqo9RQdt5+GGMgw8ShX+2WKsq21mwlwXo2TxL/SNO6Rsid/Eub2XBT9qRo
grOzQdsKquIzx2b85ywiDEXWBtXSGlevtSdF2ptbx3zlf+Jv8Q9ZvpmCyIudt5nb
WkcwOnXGiJlceedQpPmEnEh4UG5uPwyI7MuFIfcraZ+LE4rtIUKjMHMKIbe/uM9r
ODMj/4NhfGQVIUbZdUg4mgso9Lv4LW4uverb12GyRXfi
-----END CERTIFICATE-----

> 
> 
> > Serial Number: ‎515f5a68378d44db50b978d1624e129218 Revocation Date: Mar 4
> > 01:00:00 2014
> 
> Not found in CCADB.

This one has EKUs and NCs, considered as technically constrained, so it is not disclosed in Salesforce. Below is its pem,
-----BEGIN CERTIFICATE-----
MIIIxzCCB6+gAwIBAgIRUV9aaDeNRNtQuXjRYk4SkhgwDQYJKoZIhvcNAQELBQAw
XDELMAkGA1UEBhMCQkUxFTATBgNVBAsTDFRydXN0ZWQgUm9vdDEZMBcGA1UEChMQ
R2xvYmFsU2lnbiBudi1zYTEbMBkGA1UEAxMSVHJ1c3RlZCBSb290IENBIEcyMB4X
DTEzMDQxODAwMDAwMFoXDTE4MDQxODAwMDAwMFowYDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgTB0Zsb3JpZGExETAPBgNVBAoTCFFwYXkgSW5jMSwwKgYDVQQDEyNRcGF5
IEluYyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAIjXI4zU8C+HEnUokXudqZfoRyEoPdQ02ptrcoF1jSQS
mC/heYnXNy7MCewVCut+/DEVZ+Zlzrgn/YIJGKnvZZQvnxdtFiHyK/aUrCsk5sgh
m53MQCkJzQnmN154jh73nlQIf5ea0mS3Bqxa+mf1Y7WWFJtpYhEu8RqZWluhOO4e
OqO5zYkZCqBm221wMPxzDsaRx/lhhUbNJKzm5AoUFlXOpufZ+L5bv6nGXkr5fhZa
KciEHIHsvhHtS9qIig83+pj9fU7yrF7oFup0g6gnbbpRzf3BNVYlo4QWD3ug7beG
I1pSKXhcCZjy/Nv3NiWC/hkDzzwWWQtO73EV6eBgwQMCAwEAAaOCBX4wggV6MA4G
A1UdDwEB/wQEAwIBBjCBzQYDVR0gBIHFMIHCMEIGCisGAQQBoDIBPAEwNDAyBggr
BgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8w
fAYMKwYBBAGCwXmDfQEBMGwwKwYIKwYBBQUHAgEWH2h0dHA6Ly9wa2kucXBheTEy
My5jb20vY3BzLmh0bWwwPQYIKwYBBQUHAgIwMQwvQ29weXJpZ2h0IChjKSAyMDEz
IFFwYXkgSW5jIEFsbCBSaWdodHMgUmVzZXJ2ZWQwEgYDVR0TAQH/BAgwBgEB/wIB
ATCCA0kGA1UdHgSCA0AwggM8oIIDBjANggtxcGF5MTIzLmNvbTANggtxcGF5bmV0
LmNvbTANggtxcGF5MTIzLmJpejAPgg1teXN0YXIxMjMuY29tMAyCCnFwYXliaS5j
b20wEIIOcXBheXJlcG9ydC5jb20wE4IRcXBheXJlcG9ydGluZy5jb20wDYILcXBh
eWNzZS5jb20wD4INY3NlcmVwb3J0LmNvbTATghFtaWVzdHJlbGxhMTIzLmNvbTAT
ghFtaWVzdHJlbGxhMTIzLm5ldDAVghNzaW5saW1pdGVtZXhpY28uY29tMBWCE3Bv
bGFuZHVubGltaXRlZC5jb20wDoEMLnFwYXkxMjMuY29tMA2BC3FwYXkxMjMuY29t
MA6BDC5xcGF5bmV0LmNvbTANgQtxcGF5bmV0LmNvbTAOgQwucXBheTEyMy5iaXow
DYELcXBheTEyMy5iaXowEIEOLm15c3RhcjEyMy5jb20wD4ENbXlzdGFyMTIzLmNv
bTANgQsucXBheWJpLmNvbTAMgQpxcGF5YmkuY29tMBGBDy5xcGF5cmVwb3J0LmNv
bTAQgQ5xcGF5cmVwb3J0LmNvbTAUgRIucXBheXJlcG9ydGluZy5jb20wE4ERcXBh
eXJlcG9ydGluZy5jb20wDoEMLnFwYXljc2UuY29tMA2BC3FwYXljc2UuY29tMBCB
Di5jc2VyZXBvcnQuY29tMA+BDWNzZXJlcG9ydC5jb20wFIESLm1pZXN0cmVsbGEx
MjMuY29tMBOBEW1pZXN0cmVsbGExMjMuY29tMBSBEi5taWVzdHJlbGxhMTIzLm5l
dDATgRFtaWVzdHJlbGxhMTIzLm5ldDAWgRQuc2lubGltaXRlbWV4aWNvLmNvbTAV
gRNzaW5saW1pdGVtZXhpY28uY29tMBaBFC5wb2xhbmR1bmxpbWl0ZWQuY29tMBWB
E3BvbGFuZHVubGltaXRlZC5jb20wNqQ0MDIxCzAJBgNVBAYTAlVTMRAwDgYDVQQH
EwdGbG9yaWRhMREwDwYDVQQKEwhRcGF5IEluY6EwMAqHCAAAAAAAAAAAMCKHIAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDEGA1UdJQQqMCgGCCsGAQUF
BwMBBggrBgEFBQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMD0GA1UdHwQ2MDQwMqAw
oC6GLGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvdHJ1c3Ryb290ZzIuY3Js
MIGEBggrBgEFBQcBAQR4MHYwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwMi5nbG9i
YWxzaWduLmNvbS90cnVzdHJvb3RnMjA/BggrBgEFBQcwAoYzaHR0cDovL3NlY3Vy
ZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvdHJ1c3Ryb290ZzIuY3J0MB0GA1UdDgQW
BBSeNwhwqHs40U5DT/038LhFTwy/WzAfBgNVHSMEGDAWgBQU9uWLMbZFgEpMbfzC
h4nKNsOQYjANBgkqhkiG9w0BAQsFAAOCAQEAVc8sZOALHEbvqBNHBnrJGBtHVZ0m
LGpswWYd57z1QQ/X7/XNspIKLkLRmOExK4E2UeZG2Alg80Tue+hVzW79gnXE0y23
BPV0qxyBUAZJ8RCL+w67DNxEx+n2KfkaASzi+La3WaeRA+2aDvJyEJC3dB8/VyN7
JKgnGU3TbceoGewwLJ/dJrhowWTzVr35BfzQtg5wo/oscm6cGI7Mm/wkA6a+l4Ki
AdRsZpNYHtWw99YFBpYKEY1jl9JbI8060deZV9RCKsEqXnEDxry+V1lJVujEBshk
PlK7tVuPw4XGCafUSS9OFXk3ri/u5AttIKz2ffHMT1lzqL2JvwsA5Unk/g==
-----END CERTIFICATE-----

Please review again. If needed, we can added these into the Salesforce system. 
Thank you.
http://crl.globalsign.com/gs/trustrootg2.crl was updated with 3 entries added,

Serial Number: 4c b8 42 c7 97 2d 74 71 2d 92 b5 ee ab 95 99 d5 44 
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: 04 March 2019 00:00:00 UTC

Serial Number: 22 aa 72 7f f6 28 1a 0b c7 73 c1 e2 0c 0c 40 23 ca
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: 13 December 2017 00:00:00 UTC

Serial Number: 5c d7 d8 96 ba d5 c9 77 11 bc 14 cf 0e d3 5f 20 62
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: 30 May 2018 00:00:00 UTC

These 3 revocations are not compromises, they are to ensure the hierarchy remains clean as we've closed down old products which no longer issue. All these 3 have EKUs and NCs, are considered technically constrained.
http://crl.globalsign.com/gs/trustrootsha2g2.crl was updated with 1 entry added,

Serial Number: 46 22 88 90 62 9f 09 93 54 4e ef 86 30 30
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: February 25, 2020 00:00:00 UTC

This revocation is not compromises, it is to ensure the hierarchy remains clean as we've closed down old products which no longer issue. It has EKUs and NCs, is considered technically constrained.
http://crl.globalsign.com/gs/root-r4.crl was updated with 3 entries added,

Serial Number: 1f 07 b1 82 7f d9 08 98 9c 64 f7 2c 23 22 3c cf 14 
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: 13 November 2023 01:00:00 UTC

Serial Number: 46 74 37 76 0e 4a 74 36 6c d2 7c 85 66 4e
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: April 30, 2025 00:00:00 UTC

Serial Number: 46 74 37 75 8a 2f c2 f0 74 0f 9a b6 60 66
Revocation Date: 07 Jan 2017 00:00 UTC
Expiry Date: ‎‎April ‎30, ‎2025 00:00:00 UTC

These 3 revocations are not compromises, they are to ensure the hierarchy remains clean as we've closed down old products which no longer issue. These 3 were disclosed in the Salesforce system, and their status have been updated with revoked status.
(In reply to GlobalSign from comment #16)
> http://crl.globalsign.com/gs/root-r4.crl was updated with 3 entries added,
> 
> Serial Number: 1f 07 b1 82 7f d9 08 98 9c 64 f7 2c 23 22 3c cf 14 
> Revocation Date: 07 Jan 2017 00:00 UTC
> Expiry Date: 13 November 2023 01:00:00 UTC
> 
> Serial Number: 46 74 37 76 0e 4a 74 36 6c d2 7c 85 66 4e
> Revocation Date: 07 Jan 2017 00:00 UTC
> Expiry Date: April 30, 2025 00:00:00 UTC
> 
> Serial Number: 46 74 37 75 8a 2f c2 f0 74 0f 9a b6 60 66
> Revocation Date: 07 Jan 2017 00:00 UTC
> Expiry Date: ‎‎April ‎30, ‎2025 00:00:00 UTC
> 
> These 3 revocations are not compromises, they are to ensure the hierarchy
> remains clean as we've closed down old products which no longer issue. These
> 3 were disclosed in the Salesforce system, and their status have been
> updated with revoked status.

These have been added to OneCRL.
To my knowledge, all of the non-expired, non-technically-constrained revoked intermediate certs listed in this bug have been added to OneCRL.

All future revocations of intermediate certs should be reported as described here:
https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce

Thank you for your patience and diligence.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.