Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

3 min read Original article ↗

Youfu Zhang

unread,

Sep 3, 2025, 11:32:41 AMSep 3

to dev-secur...@mozilla.org, info...@fina.hr

Hello,

This is a public report of several certificates issued by Fina RDC
2020 that appear to be mis-issued. These certificates contain the
Subject Alternative Name (SAN) iPAddress:1.1.1.1.

The IP address 1.1.1.1 is a well-known public DNS resolver operated by
Cloudflare, in partnership with APNIC. It is highly unlikely that the
certificate subscribers demonstrated control over this IP address as
required by the CA/Browser Forum Baseline Requirements.

Three of the discovered certificates are still valid as of today,
September 3, 2025.

Mis-issued Certificates:

1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72
Subject CN: test1.hr
SAN:
- dNSName:test1.hr
- dNSName:test12.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=18603461241
Censys: https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee

2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d
Subject CN: test1.hr
SAN:
- dNSName:test1.hr
- dNSName:test11.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=19749721864
Censys: https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf

3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5
Subject CN: test11.hr
SAN:
- dNSName:test11.hr
- dNSName:test12.hr
- iPAddress:1.1.1.1
crt.sh: https://crt.sh/?id=20582951233
Censys: https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Relevant Certificate Authority:

These precertificates were issued by Fina RDC 2020
(https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root
CA (https://crt.sh/?caid=100631).

Fina Root CA is trusted by The Microsoft Root Certificate Program.

Apparent Violations:

This issuance appears to violate both the CA/Browser Forum's
requirements and Fina's own stated policies.

1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section 7.1.2.7.12:

The entry MUST contain the IPv4 or IPv6 address that the CA has
confirmed the Applicant controls or has been granted the right to use
through a method specified in Section 3.2.2.5.

2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4:

For each IP Address listed in certificate application Fina shall
verify, as of the date the certificate was issued, the right to use
and control the IP Address by the Legal person submitting the
certificate application.
This verification shall be done in accordance with the methods
specified in the CA/Browser Forum BRG document.

I request that Fina investigate this matter, revoke any active
non-compliant certificates, and provide a public incident report in a
timely manner.

---

Best regards,
Youfu Zhang

Ben Wilson

unread,

Sep 3, 2025, 2:23:41 PMSep 3

to Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr

Thank you, Youfu, for bringing this to the community’s attention. 

This CA has never been part of the Mozilla Root Program, and their certificates have never been trusted by Firefox. However, we are happy to facilitate continued discussion on dev-security-policy as it is clearly relevant to the community as a whole. 

Whilst we recognize Fina CA is not part of our root program, we also agree that it would be extremely beneficial for Fina to file an incident report in accordance with this guidance from the CCADB:  https://www.ccadb.org/cas/incident-report.

Ben



Bas Westerbaan

unread,

Sep 3, 2025, 4:41:52 PMSep 3

to Ben Wilson, Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr

Hi all,

Quick message to confirm that Fina CA did not have our permission to publish these certificates. After seeing the certificate-policy email, we've immediately reached out to them, Microsoft and their TSP supervisory body. We take this lapse very seriously. We've been busy investigating, including checking if there are any other certificates misissued for our domains. We're preparing a blog to share our findings soon.

Best,

 Bas


Bas Westerbaan

unread,

Sep 4, 2025, 1:29:48 PMSep 4

to Ben Wilson, Youfu Zhang, dev-secur...@mozilla.org, info...@fina.hr

Andrew Ayer

unread,

Sep 4, 2025, 5:39:06 PMSep 4

to dev-secur...@mozilla.org, info...@fina.hr

Watson Ladd

unread,

Sep 4, 2025, 5:53:24 PMSep 4

to Andrew Ayer, dev-secur...@mozilla.org, info...@fina.hr

Wayne

unread,

Sep 4, 2025, 6:12:37 PMSep 4

to dev-secur...@mozilla.org, Watson Ladd, dev-secur...@mozilla.org, info...@fina.hr, Andrew Ayer