Incident Report - Misissuance of certificates with small RSA keys (GDCA)

Hi All,

This mis-issuance incident was reported by Mr. Rob Stradling via an e-mail =
sent to GDCA=E2=80=99s Problem Reporting Mechanism ( Mr. Rob Stradling also filed a report at June 7, 2018 18:07 (UTC+8) v=
ia Bugzilla (

1.How your CA first became aware of the problem (e.g. via a problem report =
submitted to your Problem Reporting Mechanism, via a discussion in mozilla.=, or via a Bugzilla bug), and the date.

We became aware of the problem via an e-mail sent to GDCA=E2=80=99s Problem=
 Reporting Mechanism ( by Mr. Rob Stradling, the=
 e-mail was sent at June 7, 2018 18:10 (UTC+8). Mr. Rob Stradling also file=
d a report at June 7, 2018 18:07 (UTC+8) via Bugzilla (https://bugzilla.moz=

2.A timeline of the actions your CA took in response.

  A.June 7, 2018 18:10 (UTC+8)- Mr. Rob Stradling sent the e-mail to webtru=
  B.June 7, 2018 18:40 (UTC+8) =E2=80=93 GDCA became aware of the reported =
  C.June 7, 2018 18:58 (UTC+8) =E2=80=93 GDCA suspended the issuance of the=
 GDCA DV SSL certificates;
  D.June 7, 2018 19:10 (UTC+8) =E2=80=93 GDCA replied Mr. Rob Stradling=E2=
=80=99s e-mail, indicated that we were looking into the issue; =20
  E.June 7, 2018 20:30 (UTC+8) =E2=80=93 GDCA confirmed the mis-issuance of=
 the reported certificates;
  F.June 7, 2018 21:00 (UTC+8) =E2=80=93 GDCA revoked the 4 mis-issued cert=
  G.June 7, 2018 21:27 (UTC+8) =E2=80=93 GDCA notified the subscribers that=
 the mis-issued certificates were revoked;
  H.June 8, 2018 09:30 (UTC+8) =E2=80=93 GDCA identified the reason of the =
  I.June 8, 2018 11:43 (UTC+8) =E2=80=93 GDCA found three additional DV SSL=
 certificates that were mis-issued through scanning all the SSL certificate=
s issued by the GDCA TrustAUTH R5 ROOT and its Subordinate CAs;
  J.June 8, 2018 12:04 (UTC+8) =E2=80=93 GDCA revoked the additional three =
mis-issued certificates, notified the subscribers through the e-mail addres=
ses of the domain owners.  =20

3.Confirmation that your CA has stopped issuing TLS/SSL certificates with t=
he problem.

  GDCA suspended the issuance of DV SSL certificates as of June 7, 2018 18:=
58 (UTC+8).=20

4.A summary of the problematic certificates. For each problem: number of ce=
rts, and the date the first and last certs with that problem were issued.

  A total of 7 certificates were mis-issued and for the same reason, these =
certificates were issued between December 06, 2017 and June 05, 2018.=20

5.The complete certificate data for the problematic certificates. The recom=
mended way to provide this is to ensure each certificate is logged to CT an=
d then list the fingerprints or IDs, either in the report or as an a=
ttached spreadsheet, with one list per distinct problem.

  Certificate 1:
  Certificate 2:
  Certificate 3:
  Certificate 4:
  Certificate 5:
  Certificate 6:
  Certificate 7:

6.Explanation about how and why the mistakes were made or bugs introduced, =
and how they avoided detection until now.

  After conducting an investigation, we found that a bug was introduced dur=
ing an upgrade in our certificate issuance system which was misconfigured l=
ater, causing the failure of detection on the minimum RSA key size.  =20

7.List of steps your CA is taking to resolve the situation and ensure such =
issuance will not be repeated in the future, accompanied with a timeline of=
 when your CA expects to accomplish these things.

  A.Suspended the issuance of DV SSL certificates;
  B.Scanned all the SSL certificates issued by the GDCA TrustAUTH R5 ROOT a=
nd its Subordinate CAs to find out if other certificates with small RSA key=
s were mis-issued;
  C.We are currently fixing the bug in the issuance system and working to h=
ave it correctly configured by June 10, 2018;
  D.We are adding a function in the key parts of the issuance system to reg=
ularly detect the minimum RSA key size, and such function is expected to be=
 enabled by June 20, 2018.=20

We wish to thank Mr. Rob Stradling for bringing this problem to our attenti=

Your comments and suggestions will be much appreciated.

6/9/2018 12:54:39 PM 1337 articles. 2 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 10