Once again, Symantec ended up forced to revoke incorrectly issued certificates.
These faux certificates ended up spotted via the Certificate Transparency (CT) system by Andrew Ayer, founder of SSLMate, who found certificates for example.com, which he confirmed were not authorized by the domain’s owner.
“I confirmed with ICANN, the owner of example.com, that they did not authorize these certificates,” he said in a blog post. “These certificates were already revoked at the time I found them.”
He also identified certificates for domains such as test.com, test1.com, test2.com, and others containing the string “test,” he said.
Ayer found more than 100 wrongly issued certificates attributed to Symantec and its subsidiaries GeoTrust and Thawte.
The certificates have several entries with the value “test,” which suggests they have been issued for testing purposes.
The certificates had been issued by one of the company’s WebTrust audited partners, said Steven Medin, PKI policy manager at Symantec. Medin said this partner’s privileges ended cut to restrict further issuance and the reported certificates have all been revoked.
Ayer advised domain owners to monitor CT logs to determine if unauthorized certificates have been issued for their websites.
Since this is not the first time Symantec misissued certificates, Ayer suggested excluding the company via CAA records, which allow users to specify which CA can issue certificates for their domain.