MozillaIntermediateCertsCSVReport — blank line after -----BEGIN CERTIFICATE----- in 18 Amazon S-series rows

Anupama M

unread,

May 11, 2026, 2:22:52 PM (2 days ago) May 11

to dev-secur...@mozilla.org

Hi Mozilla Team,

Reporting a regression in the PEM column of MozillaIntermediateCertsCSVReport (snapshot 2026-05-07) downloaded from https://ccadb.my.salesforce-sites.com/mozilla/MozillaIntermediateCertsCSVReport.

18 rows have a blank line directly after the pre-encapsulation boundary — the byte sequence is -----BEGIN CERTIFICATE-----\n\nMII… instead of -----BEGIN CERTIFICATE-----\nMII…. This violates RFC 7468 §3 ("There is no blank line between the pre-encapsulation boundary and the encapsulated text") and is rejected outright by strict PEM parsers. The same bug also appears to throw the wrap counter for the rest of the body in those 18 rows, producing pathological 64/1/62/2/… line widths.

The underlying certificate data is fine — every PEM still decodes to a cert whose SHA-256 matches the row's SHA256 column — so this is purely a CSV-generator regression.

Affected rows are all Amazon S-series intermediates:

Amazon ECDSA 256 S06–S09 (4 certs, issued by Amazon Root CA 4)
Amazon ECDSA 384 S06–S13 (8 certs, issued by Amazon Root CA 4)
Amazon RSA 2048 S06–S11 (6 certs, issued by Amazon Root CA 1)

Happy to share the full list of 18 SHA-256s or the analysis script if useful.

Thanks,

Anupama M

Trevoli Ponds-White

unread,

May 12, 2026, 12:41:53 PM (yesterday) May 12

to dev-secur...@mozilla.org, Anupama M

Hi Anupama, we think this might be an issue on our side when we imported the pem file. Not a CCADB issue. Our team is looking into this now.

Thanks,

Trevoli Ponds-White

Amazon Trust Services

Trevoli Ponds-White

unread,

4:58 PM (6 hours ago) 4:58 PM

to dev-secur...@mozilla.org, Trevoli Ponds-White, Anupama M

This should be resolved for the Amazon Trust Services ICAs now.

Reply all

Reply to author

Forward