That's not all: https://crt.sh/?id=15304695102&opt=ocsp looks a little suspicious to me given the OU values here. I wish I had a legitimately issued one to contrast with, but I am suspicious.
I also found https://crt.sh/?id=2186789673 which is from a different CA Sincerely, Watson On Thu, Sep 4, 2025 at 2:39 PM Andrew Ayer <[email protected]> wrote: > > On the Fediverse, Dr. Christopher Kunz > <https://chaos.social/@christopherkunz/115144844256513679> has noticed two > additional issues: > > 1. A presumably-misissued certificate for 2.2.2.2, an IP address assigned to > Oracle according to WHOIS: > https://crt.sh/?sha256=789DE404B22E8737C22694B72CBDDC23F8C1EE4BF1DF3FAEBACF5C3E5509288B > > 2. The certificates involved in this incident have been revoked with the > reason code cessationOfOperation. Per BR 4.9.1.1 (5), the reason should be > superseded. > > Regards, > Andrew > > On Wed, 3 Sep 2025 23:31:58 +0800 > Youfu Zhang <[email protected]> wrote: > > > Hello, > > > > This is a public report of several certificates issued by Fina RDC > > 2020 that appear to be mis-issued. These certificates contain the > > Subject Alternative Name (SAN) iPAddress:1.1.1.1. > > > > The IP address 1.1.1.1 is a well-known public DNS resolver operated by > > Cloudflare, in partnership with APNIC. It is highly unlikely that the > > certificate subscribers demonstrated control over this IP address as > > required by the CA/Browser Forum Baseline Requirements. > > > > Three of the discovered certificates are still valid as of today, > > September 3, 2025. > > > > Mis-issued Certificates: > > > > 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 > > Subject CN: test1.hr > > SAN: > > - dNSName:test1.hr > > - dNSName:test12.hr > > - iPAddress:1.1.1.1 > > crt.sh: https://crt.sh/?id=18603461241 > > Censys: > > https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee > > > > 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d > > Subject CN: test1.hr > > SAN: > > - dNSName:test1.hr > > - dNSName:test11.hr > > - iPAddress:1.1.1.1 > > crt.sh: https://crt.sh/?id=19749721864 > > Censys: > > https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf > > > > 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 > > Subject CN: test11.hr > > SAN: > > - dNSName:test11.hr > > - dNSName:test12.hr > > - iPAddress:1.1.1.1 > > crt.sh: https://crt.sh/?id=20582951233 > > Censys: > > https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 > > > > Relevant Certificate Authority: > > > > These precertificates were issued by Fina RDC 2020 > > (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root > > CA (https://crt.sh/?caid=100631). > > > > Fina Root CA is trusted by The Microsoft Root Certificate Program. > > > > Apparent Violations: > > > > This issuance appears to violate both the CA/Browser Forum's > > requirements and Fina's own stated policies. > > > > 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section > > 7.1.2.7.12: > > > > The entry MUST contain the IPv4 or IPv6 address that the CA has > > confirmed the Applicant controls or has been granted the right to use > > through a method specified in Section 3.2.2.5. > > > > 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: > > > > For each IP Address listed in certificate application Fina shall > > verify, as of the date the certificate was issued, the right to use > > and control the IP Address by the Legal person submitting the > > certificate application. > > This verification shall be done in accordance with the methods > > specified in the CA/Browser Forum BRG document. > > > > I request that Fina investigate this matter, revoke any active > > non-compliant certificates, and provide a public incident report in a > > timely manner. > > > > --- > > > > Best regards, > > Youfu Zhang > > > > -- > > You received this message because you are subscribed to the Google > > Groups "[email protected]" group. To unsubscribe from > > this group and stop receiving emails from it, send an email to > > [email protected]. To view this discussion > > visit > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250904173858.c0076467f4af410979bccbaf%40andrewayer.name. -- Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ckPBFvQE3NvrjuQ62A5zKLcEjim%3DPkFdRH2ARp%3D45siKA%40mail.gmail.com.
