I can not help but notice that the host names of the certificates involved rather strongly suggest that a series of device or embedded server is creating these CSRs / utilizing these certificates.
As you mentioned, some users subsequently requested certs for the same keys already previously utilized. The concentration of these certificates across host names that suggest they are embedded industrial control and monitoring systems, like SCADA, etc, points to specific equipment or applications that have a problematic security problem. Are you aware of the particulars of what devices are involved? Are the customers aware of the vulnerability? Has the manufacturer been made aware? It's certainly true that publicly trusted CAs can block issuance of certs over weak ROCA keys. However, this may just drive the problematic devices to self-signed certs or corporate PKI. Unless these devices can perform proper TLS, users should probably take caution to ensure these are not reachable from the public internet. Thanks, Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy