[cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU

Doug Beattie doug.beattie at globalsign.com
Tue Sep 20 13:48:00 MST 2016


Following a recent code update to our GlobalSign Certificate Centre (GCC) platform, we have discovered a bug which manifests itself when orders are re-issued with modified domains within the Subject Alternative Name field of the certificate.  When users added or removed SANs in their OV or EV certificate between 29 August and 19 September the resulting certificates did not contain the Key Usage (KU) or Extended Keu Usage (EKU) extensions.  KU is optional according to the BRs, but EKU is mandatory.  All certificates contained Basic Constraints.
The issue was identified on Friday and the system patched Friday night.  Customers in the western region were notified Friday afternoon and those in APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan).  The support team was in contact with impacted customers Monday and Tuesday to follow up and recommend they reissue the certificate and revoke the one containing the issue.  Those that could not be contacted had their certificates revoked by the GlobalSIgn vetting team.
Currently, all but 1 certificate has been revoked.  The one remaining will be revoked with the next 24 hours and belongs to a high profile site in Japan who, due to the timing of the issue, needs another day.
We have verified that in total 68 certificates were affected.  4 of these are EV and 64 OV.   The risk to the community and to our other customers is therefore low as we have existing relationships with all customers and have vetted them to a higher level of confidence to issue the original certificate in the first place, although obviously the inconvenience on both sides is not welcome.
We're putting new systems in place to parse issued certificates for compliance with the BRs which will catch any future certificate content issues more quickly.
For more information and the list of certificates, see the Mozilla bug filed earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089
Regards,
Doug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160920/555f532a/attachment.html 


More information about the Public mailing list