Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

Google to Ban Another CA Camerfirma From Their Chrome Browser

Spanish CA Camerfirma Will Be Banned From Google Chrome Version 90 Onwards

google-bans-another-misbehaving-ca-from-chrome
After the ban of Symantec, Google recently announced that they’re ready to ban another Spain-based CA (Certificate Authority) Camerfirma, which will come into effect with the release of Google Chrome version 90 onwards, which is scheduled to release in mid of April 2021.

The final decision to ban the Camerfirma issued SSL/TLS certificate from Google Chrome has been finalized on Monday (January 25, 2021) after the company failed to explain within a six-week time range regarding a string of 26 different incidents of its certificate issuance process.

Among these 26 incidents, the latest occurred in the month of January 2021, even after being informed that Camerfirma is under investigation from December 2020.

But due to the latest issue in January 2021, Camerfirma Company got pictured as the CA (Certificate Authority) who isn’t meeting quality and security standards of the industry, which is needed for processing the issuance of SSL/TLS certificate for any website, software, and enterprise.

For Present Only Google Is Banning Camerfirma

For many years, all the popular browsers, namely Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer, decide together to ban any Certificate Authority (CA) if any fails to follow the SSL/TLS certificate issuance rules. Some CAs that have been banned in the past are DigiNotar, Symantec, and WoSign & its subsidiary StartCom.

Further, these banned companies got into losses where DigiNotar had to file bankruptcy. Symantec sold its SSL/TLS Certificate issuance business to DigiCert.

However, with Spain-based CA Camerfirma, it’s slightly different (at least at the time of writing this post). None other browser has come forward with such an announcement except Google to ban Camerfirma SSL/TLS certificates. According to industry experts, it’s likely that the other three, Microsoft, Mozilla, and Apple, will take a similar decision within the coming few weeks.

Nonetheless, Google’s sole decision to ban is more than enough to teach Camerfirma business a lesson because around 60% to 70% of the market share of Google, the banning in Chrome can be an actual death.

List of 26 Confirmed or Suspected Camerfirma Issues Mentioned by Mozilla

Below are the twenty-six confirmed or suspected Camerfirma issues mentioned by Mozilla due to which Google decided to ban from their Chrome browser:

Issue B – March 2017

In March 2017, after WoSign/StartCom, Camerfirma got into business relations with StartCom, where the CEO Iñigo of StarCom went into RA training for Camerfirma. Further, Iñigo performed validation of organization and domain validated SSL/TLS certificate using methods that weren’t allowed in the existed Baseline Requirements.

Issue D – April 2017

Pertaining to the issue of March 2017, Camerfirma misissued 162 SSL/TLS certificates because of the direction given by StartCom, where they forgot to enter certain required fields like localityName and statOrProvinceName, and it also contained duplicate entries within the extension subjectAlternativeName.

Issue F – November 2017

Later in November 2017, it got revealed that Camerfirma dodged CAA verification for certain domains, due to which it restricted issuance to Let’s Encrypt.

Issue H – December 2017

In December 2017, Camerfirma got under the fire for another issue where they had non-compliance issues with two different sub-CAs of their own, InfoCert and Intensa Sanpaolo, in which the GET method didn’t support with their OCSP responders, which is required by the Baseline Requirement.

Issue J – August 2017

In 2017, when security researchers investigated the database of Certificate Transparency for invalid DNSName Subject Alternative Names, they got to know about the number of CAs that included the name of Camerfirma.

Issue L – July 2017

In July 2017, it was also found that, along with the PSCProCert (now-distrusted), Camerfirma had issued certain SSL/TLS certificates with an invalid subjectAlternativeName, using the dirName X.500 within the SAN.

Issue N – From 2015 to 2017

After further investigation from 2015 to 2017, it came to the revelation that Camerfirma failed to revoke two intranet certificates issued for non-assigned domain names.

Issue P – January 2018

In January 2018, another issue came forward a month before the deployment of issue J. Now, Camerfirma had misissued a certificate that violated ASN.1 field requirements that included non-printable control characters.

Issue R – April 2018

Further, in April 2018, it came to notice that despite Mozilla requiring to disclose unconstrained sub-CA by 2018-04-15, Camerfirma failed to do so.

Issue T – From 2018 – 2020

At the time of resolving issue R, it came to know that in July 2018, Camerfirma had also failed to disclose two other additional sub-CA certificates operated by MULTICERT. And, according to the policy of Mozilla, such sub-CAs has to be disclosed within one week period of creation.

Issue V – From 2017 – 2018

In July 2018, Camerfirma disclosed that they did their qualified audit for 2017 – 2018. But, it’s found that they didn’t feel qualified for some of the issues addressed in previous issues.

Issue X – From 2018 – 2019

Further, in August 2018, within few weeks of getting a cross-signed sub-CA from Camerfirma, MULTICERT misissued several certificates that came under violation of ASN.1 constraint for field length named organizationName.

Issue Z – From 2017 – 2020

In 2019, Camerfirma reported many other incidents that have detected in 2017. For example, misissuance by Intense Sanpaolo, a subordinate CA. Such violations also included violations of both the Baseline Requirements and also RFC 5280.

Issue BB – 2017 – 2020

Ballot SC12 CA/Browser has clarified that underscores will not be part of the “preferred name syntax” of any domain names, and if any certificate has been issued previously, it should be revoked by 2019-01-15. However, despite this clarification, Camerfirma failed to revoke such certificates.

Issue DD – 2017 – 2020

Further in the process of examining Camerfirma’s sub-CAs, it’s found that sub-CA’s has issued certificates through crt.sh due to which many certificates got misissued in February and April 2018, which wasn’t got reported till June 2019.

Issue FF – 2019

In 2019, Camerfirma got into the light as accidentally they revoked a sub-CA for MULTICERT.

Issue HH – 2018 – 2019

In 2019, DigiCert contacted many CAs including Camerfirma, highlighting CAs has misissued EV SSL/TLS certificate by making a mistake in businessCategory field. Due to which they fail to adhere to the required guidelines of EV.

Issue JJ – 2018 – 2019

From 2018 to 2019, Camerfirma went from using AUREN for WebTrust to AENOR for eIDAS audits. But in this transition, a gap came between these two audits that also covered the 25 days (2018-04 -14 to 2018 -05-08).

Issue LL – 2003 – 2020

Since Version 1.0, according to Mozilla Policy, they’ve restricted on entering either the issuer name or serial or the key ID, but both fields are not allowed. And, Camerfirma failed to so, and every certificate issued since 2003 has violated this policy.

Issue PP – 2013 – 2019

Later, Camerfirma disclosed that till 2018 they hadn’t audited sub-CA of a S/MIME, which the Government of Andorra controlled. In 2019, they received an audit report, due to which it was identified they had multiple non-conformities.

Issue TT – November 2020

In November 2020, Camerfirma issued a certificate where a colon preceded the Org Name.

Issue UU – October 2020

In October 2020, Camerfirma issued an SSL/TLS certificate to an unregistered domain, and the reason given was human error.

Issue VV – January 2021

In January 2021, Camerfirma issued 286 certificates without policy OID of CA/Browser Forum, as Quality Department ignored the change in the certificate profile.

Issue XX – January 2021

Further in January 2021, again another issue came across in Issue XX. It’s been found that Sub-CA CPS for Intesa Sanpaolo didn’t specify how domain validation and CAA verification is performed.

Wrapping Up

At present, Google has only decided about banning Camerfirma, and others haven’t responded yet. But, looking at these twenty-six issues published by Mozilla, it’s quite likely that other popular browsers, Apple Safari, Mozilla Firefox, and Microsoft Internet Explorer, may also take a similar decision. It means all the popular browsers may ban Spain-based CA Camerfirma.

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More