Clearly someone doesn’t know how to properly parse a CSR; and furthermore their organization is crap at communicating with customers.
This article documents the situation; names and emails have been changed to protect the innocent.
On the 5th of Feb we were issued a new wild-card certificate provided by GeoTrust (Symantec) purchased via eNom.
We submitted the CSR and responded to their confirmation emails. The certificate was installed as has been operational across dozens of sites for about 30 days.
On March 06 we recieve an email which notifies us that the certificate will be revoked because:
The organization name verified with your business registration documents indicates Company, Inc, it is not the organization name listed in your CSR which is firstname.lastname@example.org.
Everyone reading this should know the difference between a company name "Company, Inc." and an email address. But clearly, someone/something in the Symantec/GeoTrust/eNom system does not.
Symantec/GeoTrust Processing Failures
Now, one may assume from this reading that perhaps we submitted our CSR wrong; I mean how else could a company name and email get confused? So I instantly went to inspect our CSR, the relevant portions are shown (but changed to protect the innocent)
Subject: C=US, ST=New Mexico, L=Albuquerque, O=Company, Inc, OU=Engineering, CN=*.company.com
No problems there, the "O" is properly set to our company name.
So, how did the address get mangled?
I went to our sites to take a look at what the Subject on our certificate was listed as and imagine my surprise when I discovered that someone had parsed it so incorrectly that our email address was now our organization.
Subject: C=US, ST=New Mexico, L=Albuquerque, Oemail@example.com, OU = Engineering, CN=*.company.com
Guesses on Causes
Somehow, after submitting a proper CSR and then clicking the link in the email they sent us mangled our CSR so badly that GeoTrust has to revoke that one and issue a new one. The only point where the email address was introduced to the process was on the "other end&quo;. That is, eNom, GeoTrust or Symantec added that to the mix, not us. So, to my mind that means they caused it.
So, on March 6th we were notified that our certificate would be revoked on the 7th and we need to re-enroll. A task they gave us less than 24 hours to complete. Unfortunately their certificate generation takes more than 24 hours. Their incompetence causes our certificate to be revoked w/o ample time to respond to the issue.
Customer Communications Fail
The email they notified us comes from firstname.lastname@example.org, but it’s about GeoTrust – they should be using a consistent company name – especially when dealing with security issues.
The phone numbers listed on the email don’t ring back to Symantec or GeoTrust – Elizabeth you need to fix your message signature to point to the proper phone number!
After wasting more than an hour on the phone with both GeoTrust/Symantec and eNom (at the same time) the issue was finally resolved. GeoTrust has extended our revocation date while we re-order. Then GeoTrust issues refund to eNom who should then issue the refund to us (but only as credits in their system).
Just for grins I’m using the same CSR that I used from the previous request. However, this time I’m not submitting via eNom; we’re using GeoTrust directly. So, we’ll see if the organization & email address get mangled again.