Hello, My domain registrar who is also a certificate authority just issued a precertificate (visible in CT logs) and a valid certificate for my domain. This is part of their new offer to automatically offer free certificates for all of their domains: https://www.nazwa.pl/certyfikaty-ssl/
I had a CAA record that only allowed letsencrypt.org to issue certificates for my domain: `lebihan.pl. 3600 IN CAA 0 issue "letsencrypt.org"` I think my domain registrar just violated my CAA by issuing that certificate. Where they allowed to issue this certificate? I also read that is is not recommended for certificate authorities to generate private keys and certificates for clients. Shouldn't they only sign certificate requests? The precertificate is visible on Facebook Surveillance Certificate Transparency: https://developers.facebook.com/tools/ct/search/?query=lebihan.pl The issuer is `C=PL, O=nazwa.pl sp. z o.o., OU=http:, nazwa.pl, CN=nazwaSSL`. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
