Certificates non-compliant with Apple Certificate Transparency Policy
Incident Report for GMO GlobalSign

On the 23rd April 2021 at 16:17 UTC, GlobalSign was informed of certificates issued in noncompliance with Apple's Certificate Transparency policy that came in effect on 21st April 2021.

The affected certificates were issued with 2 Signed Certificate Timestamps (SCT) issued from a CT log, where the updated policy by Apple requires 3 Signed Certificate Timestamps for certificates with a notBefore value greater than or equal to April 21, 2021 and a certificate lifetime greater than 181 to 398 days, causing failed TLS connections. SCTs are timestamps provided by the Certificate Transparency services upon submitting a certificate to the logs.

Following investigation, the team traced the issue to a failed deployment of the SCT configuration update to the affected availability zone.

The issue was resolved on the 26th of April 2021 15:00 UTC and new certificates with a certificate lifetime greater than 181 to 398 days, are issued with 3 SCTs.
Posted Apr 26, 2021 - 15:00 UTC