Hi all,

We were alerted to the fact that EJBCA does not calculate certificate and OCSP 
validities in accordance with RFC 5280, which has been a requirement since BR 
1.7.1 The word "inclusive" was not caught, meaning that a certificate/response 
issued by EJBCA will have a validity of one second longer than intended by the 
RFC. 

This will only cause an incident for certificates of a validity of exactly 398 
days - any certificates with shorter validities are still within the 
requirements. 

This has been fixed in the coming EJBCA 7.4.3, and all PrimeKey customers were 
alerted a week ago and recommended to review their certificate profiles and 
responder settings to be within thresholds. 

While investigating this we noticed that several non-EJBCA CAs seem to issue 
certificates with the same non RFC-compliant validity calculation (but still 
within the 398 day limit), so as a professional courtesy we wish like to alert 
other vendors to review their implementations and lessen the chance of any 
misissuance. 

Cheers,
Mike Agrenius Kushner
Product Owner, EJBCA
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to