Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

6,360 views
Skip to first unread message

Youfu Zhang

unread,
Sep 3, 2025, 11:32:41 AM (yesterday) Sep 3
to dev-secur...@mozilla.org, info...@fina.hr
Hello,

This is a public report of several certificates issued by Fina RDC
2020 that appear to be mis-issued. These certificates contain the
Subject Alternative Name (SAN) iPAddress:1.1.1.1.

The IP address 1.1.1.1 is a well-known public DNS resolver operated by
Cloudflare, in partnership with APNIC. It is highly unlikely that the
certificate subscribers demonstrated control over this IP address as
required by the CA/Browser Forum Baseline Requirements.

Three of the discovered certificates are still valid as of today,
September 3, 2025.

Mis-issued Certificates:

1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72
Subject CN: test1.hr
SAN:
- dNSName:test1.hr
- dNSName:test12.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=18603461241
Censys: https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee

2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d
Subject CN: test1.hr
SAN:
- dNSName:test1.hr
- dNSName:test11.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=19749721864
Censys: https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf

3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5
Subject CN: test11.hr
SAN:
- dNSName:test11.hr
- dNSName:test12.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=20582951233
Censys: https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Relevant Certificate Authority:

These precertificates were issued by Fina RDC 2020
(https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root
CA (https://crt.sh/?caid=100631).

Fina Root CA is trusted by The Microsoft Root Certificate Program.

Apparent Violations:

This issuance appears to violate both the CA/Browser Forum's
requirements and Fina's own stated policies.

1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section 7.1.2.7.12:

The entry MUST contain the IPv4 or IPv6 address that the CA has
confirmed the Applicant controls or has been granted the right to use
through a method specified in Section 3.2.2.5.

2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4:

For each IP Address listed in certificate application Fina shall
verify, as of the date the certificate was issued, the right to use
and control the IP Address by the Legal person submitting the
certificate application.
This verification shall be done in accordance with the methods
specified in the CA/Browser Forum BRG document.

I request that Fina investigate this matter, revoke any active
non-compliant certificates, and provide a public incident report in a
timely manner.

---

Best regards,
Youfu Zhang

Ben Wilson

unread,
Sep 3, 2025, 2:23:41 PM (yesterday) Sep 3
to Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr

Thank you, Youfu, for bringing this to the community’s attention. 


This CA has never been part of the Mozilla Root Program, and their certificates have never been trusted by Firefox. However, we are happy to facilitate continued discussion on dev-security-policy as it is clearly relevant to the community as a whole. 


Whilst we recognize Fina CA is not part of our root program, we also agree that it would be extremely beneficial for Fina to file an incident report in accordance with this guidance from the CCADB:  https://www.ccadb.org/cas/incident-report.


Ben



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com.

Bas Westerbaan

unread,
Sep 3, 2025, 4:41:52 PM (yesterday) Sep 3
to Ben Wilson, Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr
Hi all,

Quick message to confirm that Fina CA did not have our permission to publish these certificates. After seeing the certificate-policy email, we've immediately reached out to them, Microsoft and their TSP supervisory body. We take this lapse very seriously. We've been busy investigating, including checking if there are any other certificates misissued for our domains. We're preparing a blog to share our findings soon.

Best,

 Bas

Bas Westerbaan

unread,
1:29 PM (8 hours ago) 1:29 PM
to Ben Wilson, Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr

Andrew Ayer

unread,
5:39 PM (4 hours ago) 5:39 PM
to dev-secur...@mozilla.org, info...@fina.hr
On the Fediverse, Dr. Christopher Kunz <https://chaos.social/@christopherkunz/115144844256513679> has noticed two additional issues:

1. A presumably-misissued certificate for 2.2.2.2, an IP address assigned to Oracle according to WHOIS: https://crt.sh/?sha256=789DE404B22E8737C22694B72CBDDC23F8C1EE4BF1DF3FAEBACF5C3E5509288B

2. The certificates involved in this incident have been revoked with the reason code cessationOfOperation. Per BR 4.9.1.1 (5), the reason should be superseded.

Regards,
Andrew

Watson Ladd

unread,
5:53 PM (4 hours ago) 5:53 PM
to Andrew Ayer, dev-secur...@mozilla.org, info...@fina.hr
That's not all:
https://crt.sh/?id=15304695102&opt=ocsp looks a little suspicious to
me given the OU values here. I wish I had a legitimately issued one to
contrast with, but I am suspicious.

I also found https://crt.sh/?id=2186789673 which is from a different CA

Sincerely,
Watson
> To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250904173858.c0076467f4af410979bccbaf%40andrewayer.name.



--
Astra mortemque praestare gradatim

Wayne

unread,
6:12 PM (3 hours ago) 6:12 PM
to dev-secur...@mozilla.org, Watson Ladd, dev-secur...@mozilla.org, info...@fina.hr, Andrew Ayer
A glance through censys with the following query and a report checking parsed.extensions.subject_alt_name.dns_names:
parsed.issuer.organization="Financijska*" and not labels="revoked" and labels="trusted" and parsed.extensions.extended_key_usage.server_auth="true"

Internal IPs (only the invalid SANs are mentioned):
SAN: 10.1.134.20
https://crt.sh/?q=e0fe7d9c83faefd6ee2f078a382b1049a52677031c1af48fcece7666d0b8903b

SAN: 10.1.134.21
https://crt.sh/?q=ae4daa27c166be9c5da7a2ba6582cb6fa3eec5127597e3617c4e53ab8d302e34

SAN: 10.1.134.25
https://crt.sh/?q=527aab4e6f976ec7b3f7dd1959e7a01f62d6ae2d573ee8a3a2fd3af5ad5a0e02

No TLD at all:
SAN: finadok, spoint2013
https://crt.sh/?q=aae59c2e5176f641d2b66d69edaadb350e2b8e0ed977e821a3e4e51e4bc0de40

Spaces in DNS entries:
SAN: NIAS otocna-iskaznica.hr
https://crt.sh/?q=2185539e4ad2a8d4e9e3ff228feed656bf23f9066fc1c1b06ebfc833ea8a2cce

SAN: instapay. paba.hr
https://crt.sh/?q=161d567783398b1d9da8d9f2a3f9f03b0584f993bacfa9e4fadd17b498e42714

Underscore in DNS entry:
SAN: obnova_osnivanje.mpudt.hr
https://crt.sh/?q=3e8d8e4ecb5900bd9d36cdb3ade71a46d415f9bec08d8d5ff753070fcbff5d11

There's also all the other certs where dns_name are ip addresses anyway with failed lints, but I'm not checking ownership of every issued cert.

If we're going to making a list of everywhere they've gone wrong we'll be here for a while is my point.

- Wayne
Reply all
Reply to author
Forward
0 new messages