Every certificate known to CT issued by PROCERT with a notBefore
date after September 30, 2016 has what appears to be a non-random
serial number:
https://crt.sh/?Identity=%25&iCAID=750
1e:4d:94:48:00:00:00:00:0c:79
2f:84:26:06:00:00:00:00:0b:1b
3d:94:73:d1:00:00:00:00:0a:ab
4b:53:8c:18:00:00:00:00:09:db
4c:94:f1:d5:00:00:00:00:0a:bd
4c:f3:00:86:00:00:00:00:0a:c0
4d:a7:2c:6a:00:00:00:00:0a:c3
4e:11:32:b3:00:00:00:00:0a:c7
6f:d3:c3:24:00:00:00:00:0c:56
7b:33:8f:17:00:00:00:00:0c:96
7b:98:a8:b1:00:00:00:00:0c:97
11:bb:b9:9f:00:00:00:00:0b:af
14:e9:6d:a4:00:00:00:00:0a:fa
16:8e:a3:9d:00:00:00:00:0b:f5
17:93:5a:4f:00:00:00:00:09:a6
17:96:d7:b8:00:00:00:00:09:a7
18:94:8a:f4:00:00:00:00:09:5a
18:98:dc:bb:00:00:00:00:09:5b
35:ce:d9:af:00:00:00:00:0c:02
43:ed:d4:a7:00:00:00:00:0a:b1
51:33:c5:60:00:00:00:00:0a:36
62:fa:e6:81:00:00:00:00:08:ad
69:4d:2f:c1:00:00:00:00:08:b4
76:81:87:9b:00:00:00:00:0b:65
In addition, their OCSP responder is returning a status of "Good" for
adjacent serial numbers, suggesting sequential assignment of serial
numbers.
This violates section of 7.1 of the BRs, which state:
"Effective September 30, 2016, CAs SHALL generate non-sequential
Certificate serial numbers greater than zero (0) containing at least 64
bits of output from a CSPRNG."
I have not reported this to PROCERT since their problem reporting
mechanism is a link to a non-English web page.
Regards,
Andrew