I'm resending this because it seems a number of people did not receive it.  
It's in the mail archives, but it was not apparently delivered to a number of 

All 68 certificates have been revoked.


From: Doug Beattie 
Sent: Tuesday, September 20, 2016 4:48 PM
Subject: Public disclosure of 68 GlobalSign SSL certificates issued without EKU 
or KU

Following a recent code update to our GlobalSign Certificate Centre (GCC) 
platform, we have discovered a bug which manifests itself when orders are 
re-issued with modified domains within the Subject Alternative Name field of 
the certificate.  When users added or removed SANs in their OV or EV 
certificate between 29 August and 19 September the resulting certificates did 
not contain the Key Usage (KU) or Extended Key Usage (EKU) extensions.  KU is 
optional according to the BRs, but EKU is mandatory.  All certificates 
contained Basic Constraints.

The issue was identified on Friday and the system patched Friday night.  
Customers in the western region were notified Friday afternoon and those in 
APAC and Japan on Monday and Tuesday (Monday was a holiday in Japan).  The 
support team was in contact with impacted customers Monday and Tuesday to 
follow up and recommend they reissue the certificate and revoke the one 
containing the issue.  Those that could not be contacted had their certificates 
revoked by the GlobalSIgn vetting team.

Currently, all but 1 certificate has been revoked.  The one remaining will be 
revoked with the next 24 hours and belongs to a high profile site in Japan who, 
due to the timing of the issue, needs another day. 

We have verified that in total 68 certificates were affected.  4 of these are 
EV and 64 OV.   The risk to the community and to our other customers is 
therefore low as we have existing relationships with all customers and have 
vetted them to a higher level of confidence to issue the original certificate 
in the first place, although obviously the inconvenience on both sides is not 

We're putting new systems in place to parse issued certificates for compliance 
with the BRs which will catch any future certificate content issues more 

For more information and the list of certificates, see the Mozilla bug filed 
earlier today: https://bugzilla.mozilla.org/show_bug.cgi?id=1304089



Public mailing list

Reply via email to