Symantec revokes wrongly issued certificates after notification
Symantec has revoked certificates it had previously issued for several domains. The action follows a report from Andrew Ayer, founder of SSLMate, who discovered the certificates.
Ayer wrote last week that Symantec issued several certificates for the domain example.com last year. He reported this to Icann, who owns the domain. The organization said no permission had been granted to issue the certificates. However, these certificates had already been revoked. He also found other certificates issued for domains with the word “test” in them. Symantec responds to the notification, saying that the certificates were issued by one of its “trusted partners.”
As a result of the action, Symantec says it has revoked the related partner’s publishing rights pending an investigation. In addition, the company has revoked the other still valid certificates. This concerns various domains found by Ayer, for example ‘test1’ to ‘test9’. Ayer wrote that these domains belong to different parties and it is unlikely that all of them had consented to the release. The certificates would not be used ‘in the wild’.
Google had previously blocked a Symantec root certificate in 2015 because it was issued in violation of applicable rules. Other certificate authorities have also issued certificates for domains without permission in the past. For example, WoSign issued a certificate for GitHub, among other errors.