We've done an automated analysis on 2018-03-13 of TSL/SSL certificates that have been issued by our CAs:
- Camerfirma Corporate Server II - 2015
- Camerfirma Corporate Server - 2009
- AC CAMERFIRMA AAPP
We discovered 81 certificates that we didn't discover in our previous manual analyzes of crt.sh. These misissued certificates were due to the fact that we had incorrect implementations of TSL/SSL certificates, each of the errors was previously corrected.
The reasons why they are incorrect are:
- (3) cablint ERROR commonNames in BR certificates must be from SAN entries
- (1) cablint ERROR DNSName is not FQDN
- (1) cablint ERROR DNSName is not in preferred syntax
- (11) cablint ERROR Incorrectly encoded TeletexString in Certificate
- (15) cablint FATAL ASN.1 Error in X520countryName: BER decoding failed at octet 0: Parse error
- (30) cablint ERROR BR certificates must not contain directoryName type alternative name
- (18) x509lint ERROR organizationName too long
- (2) x509lint ERROR The string contains non-printable control characters
For all of these certificates, the registration process of the domains and organizations included in them was carried out correctly.
>From the moment they were detected, we began the process of replacing them.
There're 4 that have already expired.
We've revoked 44 of the aforementioned certificates and we are in contact with the rest of the subscribing organizations to proceed with their substitution, given that most of them are Spanish public administration bodies that offer public services and they are unable to replace them in an agile way.
All of these certificates are issued prior to the implementation of technical controls that eliminate the possibility of repeating the issuance of erroneous certificate with these errors.
We've implemented at 2018-02-14 a technical control that prevents the issuance of a TSL/SSL certificate in case cablint or x509lint show an error of type 'FATAL' or 'ERROR' so it is expected that there are no new certificates with these errors issued by 'Camerfirma Corporate Server II - 2015'. 'AC CAMERFIRMA AAPP' & 'Camerfirma Corporate Server - 2009' are disabled for the issuance of certificates in our system.
A report with the detected certificates is avaliable at:
https://bugzilla.mozilla.org/attachment.cgi?id=8962396
Best Regards
Juan Angel