Is Let's Encrypt affected by the certificate serial number entropy bug in EJBCA?

Some background: https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/

My question is, should I be worried about my Let’s Encrypt certificates being revoked? Is LE using EJBCA anywhere in its infrastructure to generate certificates?

Let’s Encrypt runs their own CA software, Boulder.

Serial numbers include 136 bits of random data.

Even if something happened to one or two bits, it wouldn’t be a compliance issue.

As far as I know, they’ve never issued trusted certificates using any other CA software.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.