2019-03-14

Potential compliance issue for Public CA certificate serial numbers

Who may be affected?

This is applicable if your organization is running so called WebPKI Public CAs, which have their root CA certificates published in a web browser trust store. Furthermore, this may be applicable if your organization is issuing web site certificates under ETSI EN 319 412-4.

Other CAs can ignore this, as it only relates to compliance with specific “Baseline Requirements for Issuance and Management of Publicly-Trusted Certificates”, in particular compliance with BR 7.1 as it is currently being interpreted.

Note that this is not a security issue, it is a compliance issue.

For the sake of clarity, it is PrimeKey’s position that a CA that runs EJBCA Enterprise configured so that certificate serial numbers are 9 octets or longer are compliant with BR 7.1.

If affected, what should we do?

Convene your Certificate Policy compliance team and review your installation and configuration documentation to determine compliance with the BR 7.1 (“CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG”).

In particular, you may need to perform corrective actions if one of the following is true:

  • you have been running such a CA since before September 30, 2016 and have not reviewed your configuration after CAB Forum passing ballot 164; alternatively,
  • you have set up a new CA using the default configuration options in EJBCA Enterprise after September 30, 2016.

Then, establish if the certificate serial numbers is configured to be 9 octets or more. If this is true, then you are _not_ affected.

If, however, the certificate serial numbers were set to less than 9 octets, then you _are_ affected.

How to remediate?

  • Configure EJBCA to use 9 octets or larger for certificate serial number. This is done either in the global configuration file “cesecore.properties” (if you are running a version prior to 6.15.2 or 7.0.1), or in the administrative GUI (if you are running versions 6.15.2/7.0.1 or later/Appliance 3.2.2 or later).
  • If you feel unsure about how to change configuration, please do not hesitate to contact PrimeKey support.

Follow the process established for issues with CAB Forum compliance. This is outside of scope what PrimeKey can help with, but one of the important activities is to file an incident report. Note that other measures such as revoking certificates determined to be non-compliant, may be needed as well.