Hello,
This is a public report of several certificates issued by Fina RDC
2020 that appear to be mis-issued. These certificates contain the
Subject Alternative Name (SAN) iPAddress:1.1.1.1.
The IP address 1.1.1.1 is a well-known public DNS resolver operated by
Cloudflare, in partnership with APNIC. It is highly unlikely that the
certificate subscribers demonstrated control over this IP address as
required by the CA/Browser Forum Baseline Requirements.
Three of the discovered certificates are still valid as of today,
September 3, 2025.
Mis-issued Certificates:
1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72
Subject CN:
test1.hr
SAN:
- dNSName:
test1.hr
- dNSName:
test12.hr
- iPAddress:1.1.1.1
crt.sh:
https://crt.sh/?id=18603461241
Censys:
https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee
2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d
Subject CN:
test1.hr
SAN:
- dNSName:
test1.hr
- dNSName:
test11.hr
- iPAddress:1.1.1.1
crt.sh:
https://crt.sh/?id=19749721864
Censys:
https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf
3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5
Subject CN:
test11.hr
SAN:
- dNSName:
test11.hr
- dNSName:
test12.hr
- iPAddress:1.1.1.1
crt.sh:
https://crt.sh/?id=20582951233
Censys:
https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92
Relevant Certificate Authority:
These precertificates were issued by Fina RDC 2020
(
https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root
CA (
https://crt.sh/?caid=100631).
Fina Root CA is trusted by The Microsoft Root Certificate Program.
Apparent Violations:
This issuance appears to violate both the CA/Browser Forum's
requirements and Fina's own stated policies.
1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section 7.1.2.7.12:
The entry MUST contain the IPv4 or IPv6 address that the CA has
confirmed the Applicant controls or has been granted the right to use
through a method specified in Section 3.2.2.5.
2. Fina RDC 2020 Certificate Policy (v1.12), Section
3.2.2.4:
For each IP Address listed in certificate application Fina shall
verify, as of the date the certificate was issued, the right to use
and control the IP Address by the Legal person submitting the
certificate application.
This verification shall be done in accordance with the methods
specified in the CA/Browser Forum BRG document.
I request that Fina investigate this matter, revoke any active
non-compliant certificates, and provide a public incident report in a
timely manner.
---
Best regards,
Youfu Zhang