Revoke Notification
GoDaddy has been proactively auditing certificates under management. We have identified 1000 certificates having one or more of the 6 issues defined below. The majority of these certs are 3yrs old or older. Most are from 2013 or before.
The certificates were identified by analyzing results from both zlint and certlint. We also verified all lint findings against current and past BRs. We discovered multiple defects with the linters, and submitted pull requests to correct them. See below.
Zlint PR to correct these issues:
https://github.com/zmap/zlint/pull/232
https://github.com/zmap/zlint/commit/12b8dc0338e6261fb4ad6a623c0a4c1bc99b3dfe
CertLint PRs to correct issues:
In Progress, will publish if requested.
Once we had confirmation of the lint issues we then proceeded to incrementally notify and revoke. See timeline is below.
Timeline of Events for Revocation:
6/26/2018 – 7/10/2018 – Test runs and bug fixes for Zlint/CertLint
7/11/2018 9:45am – First round list of certs identified to revoke.
------------------------------------------------------------------------------------------------------------------------------------------------
| Error | Quantity of Certs | Last Occurrence |
------------------------------------------------------------------------------------------------------------------------------------------------
|BR certificates must be 39 months in validity or less |27 |4/1/15 13:07 |
-------------------------------------------------------------------------------------------------------------------------------------------------
|BR certificates must be 60 months in validity or less |84 |8/7/13 16:48 |
-------------------------------------------------------------------------------------------------------------------------------------------------
|BR certificates with organizationName must include countryName |6 |1/17/13 14:51 |
-------------------------------------------------------------------------------------------------------------------------------------------------
| e_dnsname_not_valid_tld, | |
|e_subject_common_name_not_from_san, | |
|e_dnsname_bad_character_in_label |4 |*7/5/18 11:48 |
------------------------------------------------------------------------------------------------------------------------------------------------
| e_subject_common_name_not_from_san, | | |
|e_dnsname_bad_character_in_label |28 |*7/9/18 21:12 |
------------------------------------------------------------------------------------------------------------------------------------------------
| RSA subject key modulus must be at least 2048 bits |638 |10/5/09 8:25 |
------------------------------------------------------------------------------------------------------------------------------------------------
*Total of 17 certificates issued in 2018 were revoked due to invalid extended ascii characters. CertLint was not catching these issues, which would have prevented issuance. We have since remediated these problems, and are adding zLint to our certificate issuance process as a second check.
Issued in 2018 certificate serial numbers 4329668077199547083, 8815069853166416488, 8835430332440327484, 13229652153750393997, 12375089233389451640, 11484792606267277228, 11919098489171585007, 9486648889515633287, 14583473664717830410, 7612308405142602244, 4011153125742917275, 6919066797946454186, 15449193186990222652, 14380872970193550115, 1792501994142248245, 12601193235728728125, 10465762057746987360
Cert.sh was unavailable when this was crafted else I would provide links to the 4 certs which were CT logged.
7/11/2018 10:30am – Certificate revocation process started, with emails sent to certificate owners.
7/12/2018 9am – All first-round certificates revoked.
7/13/2018 11:30am - Second round of certs identified.
------------------------------------------------------------------------------------------------------------------------------------------------
| Error | Quantity of Certs | Last Occurrence |
------------------------------------------------------------------------------------------------------------------------------------------------
| RSA subject key modulus must be at least 2048 bits |213 |7/30/09 13:52 |
-------------------------------------------------------------------------------------------------------------------------------------------------
7/13/2018 1:30pm- Final round of cert revocations completed.
Please let us know of any questions or concerns.
Daymion Reynolds