GoDaddy, Apple and Google mistakenly released more than 1 million digital certificates with serial numbers that contain 63 bits instead of 64 bits as required by the rules of the CA/Browser Forum for the issuance of certificates. Now companies are forced to withdraw does not meet the industry standards certificates. It is currently unclear what number of the certifying centres (UTS) touched on the problem, so it is possible that the number of incorrect certificates may be significantly more.
The cause of the problem was the incorrect setting of companies certification authority EJBCA (Enterprise Java Beans Certificate Authority) used by certification authorities to generate certificates. By default EJBCA generates a certificate with a serial number that contains 64 bits in accordance with the basic requirements specified in the leadership of the CA/Browser Forum “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (the”Baseline requirements for issuing and managing trusted certificates”). However, due to errors generated certificates with serial numbers of 63 bits, which is a violation of industry standards.
Although incorrect certificates do not represent a particular risk from the security point of view, the problem can turn into a headache for many organizations, experts say. Replacing one digital certificate takes a few hours and many businesses do not have an automated system that can replace a large number of certificates. Moreover, the replacement of the certificate by an Amateur may lead to the emergence of new vulnerabilities, or impact on the operations of the company.
According to representatives of GoDaddy, the company issued approximately 300 thousand invalid certificate at Apple called the number 878 thousand certificates (558 thousand is still valid), and Google announced that from 2016 technogiant has produced more than 100 thousand certificates, but at the moment only 7.1 thousand remain valid. Currently, Apple and Google are in the process of revoking certificates, according to representatives of GoDaddy, the company will revoke all certificates in the next 30 days.
Read more •••