Hello, This is a public report of several certificates issued by Fina RDC 2020 that appear to be mis-issued. These certificates contain the Subject Alternative Name (SAN) iPAddress:1.1.1.1.
The IP address 1.1.1.1 is a well-known public DNS resolver operated by Cloudflare, in partnership with APNIC. It is highly unlikely that the certificate subscribers demonstrated control over this IP address as required by the CA/Browser Forum Baseline Requirements. Three of the discovered certificates are still valid as of today, September 3, 2025. Mis-issued Certificates: 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 Subject CN: test1.hr SAN: - dNSName:test1.hr - dNSName:test12.hr - iPAddress:1.1.1.1 crt.sh: https://crt.sh/?id=18603461241 Censys: https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d Subject CN: test1.hr SAN: - dNSName:test1.hr - dNSName:test11.hr - iPAddress:1.1.1.1 crt.sh: https://crt.sh/?id=19749721864 Censys: https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 Subject CN: test11.hr SAN: - dNSName:test11.hr - dNSName:test12.hr - iPAddress:1.1.1.1 crt.sh: https://crt.sh/?id=20582951233 Censys: https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 Relevant Certificate Authority: These precertificates were issued by Fina RDC 2020 (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root CA (https://crt.sh/?caid=100631). Fina Root CA is trusted by The Microsoft Root Certificate Program. Apparent Violations: This issuance appears to violate both the CA/Browser Forum's requirements and Fina's own stated policies. 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section 7.1.2.7.12: The entry MUST contain the IPv4 or IPv6 address that the CA has confirmed the Applicant controls or has been granted the right to use through a method specified in Section 3.2.2.5. 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: For each IP Address listed in certificate application Fina shall verify, as of the date the certificate was issued, the right to use and control the IP Address by the Legal person submitting the certificate application. This verification shall be done in accordance with the methods specified in the CA/Browser Forum BRG document. I request that Fina investigate this matter, revoke any active non-compliant certificates, and provide a public incident report in a timely manner. --- Best regards, Youfu Zhang -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com.
