Certinomis, a French certification authority, is being removed from browsers due to repeated violations of certificate validation rules. A Certification Authority (CA) is an organization that browser vendors trust to issue certificates to websites. Unfortunately, a lot of times these organizations, due to various reasons, misissue certificates that violate the requirements set by the CA/Browser forum (for short CABForum).
As it was explained in a previous blog post, the CABForum was established to standardize the requirements for issuing publicly-trusted certificates. Members include browser “manufacturers” and public certificate authorities (CAs). “Publicly-trusted” means that certificates issued by a CA are trusted by browsers and other systems that use certificates. The CABForum codified their issuance requirements in a document called the Baseline Requirements, which covers a wide range of topics, including how to validate the requester of a certificate, maximum validity periods, algorithms (e.g., SHA-1), CN and SAN contents, etc.
The Baseline Requirements require that all CAs and their representative are audited for compliance with the requirements each year and that they publicly publish the results of their audits. Though the CABForum defines the Baseline Requirements, it is not part of its charter to enforce them.
It is the browsers who have the legal interest to enforce the requirements. The browsers decide which CAs they will trust, relying on required WebTrust audits but also taking into account other security issues, such as the DigiNotar compromise. In addition, each time that a browser connects to a site on behalf of a user, it follows a very intricate set of rules and steps to determine if the certificate provided by that site can be trusted. This logic enables specific certificates to be explicitly distrusted, such as the certificates that were misiissued when one of Comodo’s registration authorities was compromised. If a CA violates the Baseline Requirements or is otherwise compromised, it is the browsers and other systems that are in the best position to rapidly remove that CA from their trust stores or implement a set of rules for how certificates from the CA will be trusted and processed.
That was exactly the case when Google and Mozilla distrusted certificates issued by Symantec.
Certinomis was found in April 2019 to have issued 14 pre-certificates for an unregistered domain. Mozilla investigated further the misissuance of these certificates, noting that “a pre-certificate is a committment to issue an equivalent certificate.” Certinomis replied that the issue at hand was not a systemic failure, rather a human error of a single employee. In the discussion that followed in the bug tracker, Google developer Ryan Sleevi raised several concerns about the reaction of Certinomis.
This has led Mozilla to a further investigation and collected information about this and previous issues with Certinomis. On 16 April 2019 Mozilla “decided that there is sufficient concern about the activities and operations of the CA Certinomis to collect together a list of issues” in a Wiki page. The previous issues include:
Certinomis provided a response to all issues on 9 May 2019, confirming that they have implemented pre-issuance linting and explaining how their reaction covers all of the issues that were identified. However, Mozilla discovered that four new pre-certificates containing an invalid SAN value were found to have been issued on 13 May 2019, after pre-issuance linting was in place caused by a misconfiguration. In addition, on 13May 2019, 174 pre-certificates with ‘unknown’ OCSP status were discovered, proving that Certinomis was facing serious configuration problems with certificate issuance that they were unable to solve in short time.
Following the above unresolved problems, Mozilla decided to “remove the ‘Certinomis - Root CA’ from the Mozilla root store” and to “treat any cross-signature of the existing root CA as a policy violation that will result in the immediate addition of the cross-certificate to OneCRL.” The decision will be effective with the shipping of Firefox 69, scheduled for September 2019.
The impact of this decision is not as big as the one related to Symantec’s certificates, since it affects roughly 2000 websites. Either way, the trust model on which the internet is currently (and has been) designed has many single points of failure and each CA is one of them. Every time a CA breaks the trust we place in them, regardless whether it’s intentional or accidental, someone on the internet is harmed. Organizations need sooner than later employ agile policies and need to be prepared to act quickly if their certificates are impacted in any way. Certificate management is a core concern for all organizations and it is true that organizations face several possible difficulties when it comes to switching CAs. Those obstacles aren't insurmountable, however. Inventory, issuance and installation, cost and validity are challenges faced by every organization when it comes to certificate lifecycle management. Automation is the keyword to effectively and efficiently manage your certificates minimizing the risks of poor certificate management.