Is Let's Encrypt affected by the certificate serial number entropy bug in EJBCA?

#1

Some background: https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/

My question is, should I be worried about my Let’s Encrypt certificates being revoked? Is LE using EJBCA anywhere in its infrastructure to generate certificates?

#2

Let’s Encrypt runs their own CA software, Boulder.

Serial numbers include 136 bits of random data.

Even if something happened to one or two bits, it wouldn’t be a compliance issue.

As far as I know, they’ve never issued trusted certificates using any other CA software.

3 Likes
closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.