On 2026-04-03 SSL.com proactively published a preliminary incident report <https://bugzilla.mozilla.org/show_bug.cgi?id=2029230> on their use of EJBCA > An incorrect Open MPIC Lambda implementation by the EJBCA ACME service allowed DCV to be completed based only on the remote Network Perspectives.
A security reporter had notified them early on 2026-04-02, and presumably have alerted other CAs. To date there's only SSL.com mentioning a report though. The impact is quite large, SSL.com dealt with revoking 1.7m within 24 hours. This should be viewed as a success of the Mass Revocation Plan in practice. Currently only one other CA has reported having the same issue: HARICA <https://bugzilla.mozilla.org/show_bug.cgi?id=2029643>. There are quite a few <https://bugzilla.mozilla.org/buglist.cgi?longdesc_type=allwordssubstr&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&query_format=advanced&product=CA%20Program&component=CA%20Certificate%20Compliance&longdesc=ejbca&list_id=17917927&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other> CAs using EJBCA, I'd be surprised if it were limited to only these two CAs. Could any CA using EJBCA prioritize checking if they are impacted by this issue? The longer this waits, the more certificates will be impacted. - Wayne -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fd9c43c1-512d-44d7-9601-bdbc61df4bcen%40mozilla.org.
