GoDaddy, Apple, and Google misissue >1 million certificates


A major operational error by GoDaddy, Apple, and Google has resulted in the issuance of at least 1 million browser-trusted digital certificates that don’t comply with binding industry mandates. The number of non-compliant certificates may be double that number, and other browser-trusted authorities are also likely to be affected.

Almost no chance of exploitation

With all that said, despite the shortcomings of the misissued certificates, there is very little chance their non-compliant entropy can be exploited. Certificates are now generated using SHA256, a modern algorithm that doesn’t have the known vulnerabilities of MD5. The 64-bit requirement, rather, is more a matter of insuring against new attacks that will likely be discovered in the coming decades.


All CAs that used the EJBCA software platform and chose to generate serial numbers with the minimum 64-bit value were impacted. CAs that generated 72-bit or other larger values for the serial numbers were not affected.

Impacted CAs included big names such as Apple, Google, GoDaddy, but also other smaller CA operators as well.

In the weeks-long investigation that followed, Apple found that it had misissued over 878,000 TLS certificates that used a 63-bit serial number instead of the minimum 64-bit. Of these 558,000 were still in use.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.