Hi all, We were alerted to the fact that EJBCA does not calculate certificate and OCSP validities in accordance with RFC 5280, which has been a requirement since BR 1.7.1 The word "inclusive" was not caught, meaning that a certificate/response issued by EJBCA will have a validity of one second longer than intended by the RFC.
This will only cause an incident for certificates of a validity of exactly 398 days - any certificates with shorter validities are still within the requirements. This has been fixed in the coming EJBCA 7.4.3, and all PrimeKey customers were alerted a week ago and recommended to review their certificate profiles and responder settings to be within thresholds. While investigating this we noticed that several non-EJBCA CAs seem to issue certificates with the same non RFC-compliant validity calculation (but still within the 398 day limit), so as a professional courtesy we wish like to alert other vendors to review their implementations and lessen the chance of any misissuance. Cheers, Mike Agrenius Kushner Product Owner, EJBCA _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy