Revocation method is missing by subCA

[Yuwei HAN (hanyuwei70)]

Hi, all.
https://crt.sh/?id=24937759962 private key is leaked, and subCA WoTrus RSA DV SSL CA 2  (https://crt.sh/?caid=427494) seems lack a quick way (posting by web form) to submit revocation request. So the report is posted to Sectigo.

In BR 4.9, there seems no explicit requirement for sub CA to support revocation request. Should we be more clear about this? (e.g. require all chain of trust CAs should process revocation request).

[Rob Stradling]

> subCA WoTrus RSA DV SSL CA 2  (https://crt.sh/?caid=427494) seems lack a quick way (posting by web form) to submit revocation request

That's incorrect.

> So the report is posted to Sectigo.

Since Sectigo is the CA Owner in this case, that was the correct thing to do.

---

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> on behalf of Yuwei HAN (hanyuwei70) <hanyu...@gmail.com>
Sent: 16 March 2026 13:43
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Revocation method is missing by subCA

 

Hi, all. https: //crt. sh/?id=24937759962 private key is leaked, and subCA WoTrus RSA DV SSL CA 2  (https: //crt. sh/?caid=427494) seems lack a quick way (posting by web form) to submit revocation request. So the report is posted to Sectigo. In

ZjQcmQRYFpfptBannerStart

This Message Is From an Untrusted Sender

You have not previously corresponded with this sender.

Report Suspicious

 

ZjQcmQRYFpfptBannerEnd

Hi, all.
https://crt.sh/?id=24937759962 private key is leaked, and subCA WoTrus RSA DV SSL CA 2  (https://crt.sh/?caid=427494) seems lack a quick way (posting by web form) to submit revocation request. So the report is posted to Sectigo.

In BR 4.9, there seems no explicit requirement for sub CA to support revocation request. Should we be more clear about this? (e.g. require all chain of trust CAs should process revocation request).

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5084cfc0-e82b-4d15-b578-f829645aa59cn%40mozilla.org.

[Hanno Böck]

Hello,

On Mon, 16 Mar 2026 06:43:10 -0700 (PDT)
"Yuwei HAN (hanyuwei70)" <hanyu...@gmail.com> wrote:

> https://crt.sh/?id=24937759962 private key is leaked, and subCA
> WoTrus RSA DV SSL CA 2 (https://crt.sh/?caid=427494) seems lack a
> quick way (posting by web form) to submit revocation request. So the
> report is posted to Sectigo.

For what it's worth, I guess you're talking about this key:
https://x.com/realNyarime/status/2033428417488757122

Sectigo offers an ACME endpoint to revoke certs, and I can say from
experience that this also works with their branded sub-CAs. I just
tried to revoke the cert, but it was already revoked.

Sectigo ACME endpoint URL is:
https://acme.sectigo.com/v2/keyCompromise

--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/

[Aaron Gable]

On Mon, Mar 16, 2026 at 6:43 AM Yuwei HAN (hanyuwei70) <hanyu...@gmail.com> wrote:

In BR 4.9, there seems no explicit requirement for sub CA to support revocation request. Should we be more clear about this? (e.g. require all chain of trust CAs should process revocation request). 

The BRs Section 4.9.3 say "The CA SHALL provide a process for Subscribers to request revocation of their own Certificates. The process MUST be described in the CA's Certificate Policy or Certification Practice Statement. The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests and Certificate Problem Reports." This remains true no matter how many Subordinate CAs sit between the Subscriber Certificate and the Root Certificate; the requirement applies to all Subscriber Certificates.

Sectigo's Certificate Problem Reporting mechanisms can be found by locating their CPS (https://www.sectigo.com/cps-repository), seeing that their Section 4.9.3 points at their Section 1.5.2.1, and selecting any of the three methods (revocation portal, ACME endpoint, or email) listed there.

Aaron 

[Yuwei HAN (hanyuwei70)]

>  For what it's worth, I guess you're talking about this key:
> https://x.com/realNyarime/status/2033428417488757122

Yes. This is what I am talking about.

>  Sectigo ACME endpoint URL is:
> https://acme.sectigo.com/v2/keyCompromise

Thanks for your information, much help.

When I was posting original post, I saw OCSP is responding ok(now it's revoked). And I saw it is revoked at 2026-03-16 05:37:06 UTC. So is there a gap between revocation and actual ocsp response?

[Yuwei HAN (hanyuwei70)]

>   This remains true no matter how many Subordinate CAs sit between the Subscriber Certificate and the Root Certificate; the requirement applies to all Subscriber Certificates.

Now I have better understanding. Much appericated.

Next time I would use acme to issue revoke request.

[Aaron Gable]

Notice that the OCSP response contains a nextUpdate field; OCSP responses may be cached and reused until that time has passed. Additionally, CAs are only required to publish the revocation (i.e. have the new OCSP response globally visible) within 24 hours of receiving a key compromise report (see BRs 4.9.1.1). So yes, it is fully expected and appropriate that you did not see the updated OCSP response immediately.

Aaron

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0a3c8975-5878-4d06-ae64-2544799626f5n%40mozilla.org.