We're here to help We're here to help

Important Notice: EJBCA - Potential CAA Compliance Issue

Created: Updated:

Issue Summary

Due to a logical error in EJBCA while interpreting Certification Authority Authorization (CAA) responses, EJBCA might incorrectly approve issuing of a wildcard certificate related to domain name which is prohibited by the CAA entries in the DNS.

When a CAA lookup for a wildcard certificate request containing a domain name, for which the “issue” property tag is set to not allow issuing for any CA and there is no “Issuewild” property tag set in the DNS, EJBCA CAA validator will incorrectly ignore the “Issue” property tag and approve the issuing.

This causes a violation of section 3.2.2.8 in CA/B Forum Baseline Requirements.

Impacted customers

Customers on any EJBCA version who have configured the CAA validator and are issuing wildcard certificates. 

Note that customers who are not using the EJBCA CAA validator or are not issuing wildcard certificates are not impacted.

How to identify if you might have been impacted

All of the following criteria must be met for a potential mis-issuing to occur.

  • The CA has profiles configured to issue wildcard certificates.
  • The CA has CAA configured for those profiles.
  • The CA has issued one or more wildcard certificates.
  • The CAA record for that domain contains only the “issue” property tag set as (;) (prohibiting all CAs from issuing any certificates for this domain), and there is no “issuewild” property tag.

If all these criteria are met, Keyfactor suggests manually reviewing previously issued wildcard certificates and verifying if the CAA records are set to prohibit any CA (ex. CAA 0 issue ";") from issuing certificates for the domain name contained in the wildcard certificate.

Example:

CAA record contains only the following property tag:

example.com         CAA 0 issue ";"

Mitigation

Keyfactor provides updated releases of EJBCA with the error correction. The correction is included in EJBCA 8.3.3 and EJBCA 9.1.1.

Customers that are using EJBCA with CAA are advised  not to issue wildcard certificates or, as a temporary measure, use a manual process to verify CAA entries prior to issuing wildcard certificates, until the updated EJBCA release has been deployed.

Root Cause Analysis

A logical error when consuming the CAA response was made during implementation of the CAA validator.

In this instance, Keyfactor QA process failed in preventing or identifying the issue, due to shortcomings in test coverage.

Action items

Keyfactor will strengthen the review and QA process.