GoDaddy, Apple, and Google mistakenly issued more than 1 million digital certificates that violate the CA/Browser Forum rules for issuing certificates. Now companies are forced to withdraw certificates because their serial numbers contain 63 bits, instead of 64. It is not clear how many certification authorities (CAs) are affected by the problem, so the number of incorrect certificates may be significantly higher.
The problem was caused by incorrect configuration of the Enterprise Java Beans CA (EJBCA) which is used by many certification authorities to generate certificates. By default EJBCA generates a certificate with a serial number that contains 64 bits, however, due to an error, new certificates were generated in violation of industry standards.
The incorrect certificates do not pose a particular security risk, but can cause a lengthy problem with replacement. It can take several hours while many businesses do not have an automated system to replace a large number of certificates. Moreover, unprofessional replacement of the certificate may lead to the emergence of new vulnerabilities, or impact company operations.