Harica: Issuance of Server TLS Certs with ClientAuth KeyPurposeID Against CP/CPS

Animux1 pts0 comments

2055551 - HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS

Log In

Log In with GitHub

or

Remember me

Create an Account<br>&middot;<br>Forgot Password

Browse

Advanced Search

New Bug

Reports

Documentation

Please enable JavaScript in your browser to use all the features on this site.

Copy Summary▾

Markdown

Markdown (bug number)

Plain Text

HTML

View ▾

Reset Sections

Expand All Sections

Collapse All Sections

History

JSON

XML

Open

Bug 2055551

Opened 18 hours ago<br>Updated 17 hours ago

HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS

Summary:

HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS

Product:

CA Program

See Open Bugs in This Product

File New Bug in This Product

Watch This Product

Component:

CA Certificate Compliance

See Open Bugs in This Component

Recently Fixed Bugs in This Component

File New Bug in This Component

Watch This Component

Version:

unspecified

Platform:

Unspecified

Unspecified

Type:

task

Priority:

Not set

Severity:

Status:

UNCONFIRMED

Status:

UNCONFIRMED

Mark as Assigned

Milestone:

Project Flags:

Accessibility Severity

Tracking Flags:

Tracking<br>Status

relnote-firefox

firefox-esr115

firefox-esr140

firefox-esr153

firefox152

firefox153

firefox154

Assignee:

Unassigned

Assignee:

Reset Assignee to default

Mentors:

QA Contact:

Reset QA Contact to default

Reporter:

public-incident-reports

Triage Owner:

bwilson

CC:

2 people

Depends on:

Blocks:

Regressions:

Regressed by:

URL:

See Also:

Alias:

Keywords:

Whiteboard:

QA Whiteboard:

Change Request:

Bug Flags:

behind-pref

sec-bounty

sec-bounty-hof

in-qa-testsuite

in-testsuite

qe-verify

Signature:

None

This bug is publicly visible.

Bottom &darr;

Tags ▾

Reset

Timeline ▾

Reset

Collapse All

Expand All

Comments Only

HARICA

Reporter

Description

&bull;<br>18 hours ago

Preliminary Incident Report

Summary

Incident description: HARICA routinely updates its CP/CPS to reflect industry policy changes. On 2025-02-15, Chrome's Root Store Policy v1.6 required the removal of the id-kp-clientAuth KeyPurposeID from the extKeyUsage extension, effective 2026-06-15. We updated HARICA CP/CPS v4.9 on 2025-03-14 to incorporate this deadline. While Chrome subsequently extended this deprecation date to 2027-03-15 in version 1.8 of their policy, HARICA failed to update its CP/CPS to reflect the extension. Consequently, we incorrectly continued to allow the id-kp-clientAuth KeyPurposeID in TLS Certificates after our internal 2026-06-15 CP/CPS cutoff.

All TLS Certificates issued after 2026-06-15 00:00:01 (UTC) are affected and will be replaced and revoked within 5 days.

The affected certificate profiles were updated to remove the id-kp-clientAuth EKU temporarily until an updated CP/CPS was released.

A full incident report will be posted no later than 2026-07-30.

We thank the reporter for precisely identifying the problem and providing the relevant normative references, which enabled our team to rapidly confirm the finding.

Relevant policies: Section 7.1.2.3 of the HARICA CP/CPS

Source of incident disclosure: Third-party reported

You need to log in<br>before you can comment on or make changes to this bug.

Top &uarr;

harica clientauth keypurposeid certificates reset component

Related Articles