Hi Anupama, we think this might be an issue on our side when we imported the pem file. Not a CCADB issue. Our team is looking into this now.
Thanks, Trevoli Ponds-White Amazon Trust Services On Monday, May 11, 2026 at 11:22:52 AM UTC-7 Anupama M wrote: > Hi Mozilla Team, > > Reporting a regression in the PEM column of > MozillaIntermediateCertsCSVReport (snapshot 2026-05-07) downloaded from > https://ccadb.my.salesforce-sites.com/mozilla/MozillaIntermediateCertsCSVReport > . > > 18 rows have a blank line directly after the pre-encapsulation boundary — > the byte sequence is -----BEGIN CERTIFICATE-----\n\nMII… instead of > -----BEGIN > CERTIFICATE-----\nMII…. This violates RFC 7468 §3 ("There is no blank > line between the pre-encapsulation boundary and the encapsulated text") and > is rejected outright by strict PEM parsers. The same bug also appears to > throw the wrap counter for the rest of the body in those 18 rows, producing > pathological 64/1/62/2/… line widths. > > The underlying certificate data is fine — every PEM still decodes to a > cert whose SHA-256 matches the row's SHA256 column — so this is purely a > CSV-generator regression. > > Affected rows are all Amazon S-series intermediates: > > - Amazon ECDSA 256 S06–S09 (4 certs, issued by Amazon Root CA 4) > - Amazon ECDSA 384 S06–S13 (8 certs, issued by Amazon Root CA 4) > - Amazon RSA 2048 S06–S11 (6 certs, issued by Amazon Root CA 1) > > Happy to share the full list of 18 SHA-256s or the analysis script if > useful. > > Thanks, > > Anupama M > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/36d866d4-1761-4bc7-8b17-9b7f00a0a686n%40mozilla.org.
