Hi, I am posting this message on behalf of Google Trust Services. We stopped using EJBCA in 2023. As such, no certificates issued by Google Trust services are affected by this bug.
Best regards, Fabien On Tuesday, April 7, 2026 at 7:47:29 AM UTC+2 Dimitris Zacharopoulos wrote: > > On 4/6/2026 8:31 PM, Wayne wrote: > > On 2026-04-03 SSL.com proactively published a preliminary incident report > <https://bugzilla.mozilla.org/show_bug.cgi?id=2029230> on their use of > EJBCA > > An incorrect Open MPIC Lambda implementation by the EJBCA ACME service > allowed DCV to be completed based only on the remote Network Perspectives. > > A security reporter had notified them early on 2026-04-02, and presumably > have alerted other CAs. To date there's only SSL.com mentioning a report > though. > > > Hi Wayne, > > I just want to clarify that HARICA was not alerted by a security > researcher regarding this issue. > > > > The impact is quite large, SSL.com dealt with revoking 1.7m within 24 > hours. This should be viewed as a success of the Mass Revocation Plan in > practice. > > > Indeed, that's what we currently use for guidance as well. Please note > that some CAs had mass revocation procedures even before the requirement > from Mozilla, but the policy change pushed for very meaningful improvements > to support worst case scenarios (like mass revocation within 24 hours). > Having these steps already prepared is extremely helpful in time-sensitive > situations like mass-replacement of certificates which precedes the 24-hour > mass-revocation. > > > > Currently only one other CA has reported having the same issue: HARICA > <https://bugzilla.mozilla.org/show_bug.cgi?id=2029643>. > > There are quite a few > <https://bugzilla.mozilla.org/buglist.cgi?longdesc_type=allwordssubstr&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&query_format=advanced&product=CA%20Program&component=CA%20Certificate%20Compliance&longdesc=ejbca&list_id=17917927&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other> > > CAs using EJBCA, I'd be surprised if it were limited to only these two CAs. > > > They would have to be using the ACME service from EJBCA. > > > Thanks, > Dimitris. > > > Could any CA using EJBCA prioritize checking if they are impacted by this > issue? The longer this waits, the more certificates will be impacted. > > - Wayne -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fd9c43c1-512d-44d7-9601-bdbc61df4bcen%40mozilla.org > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fd9c43c1-512d-44d7-9601-bdbc61df4bcen%40mozilla.org?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1cc50f03-220a-46de-9b1b-9618f5bd62e6n%40mozilla.org.
