Sectigo (formerly known as Comodo) is one of the leading providers for certificates. Such certificates are used to encrypt internet traffic going to websites and mailservers. Sectigo is now recalling almost 6000 certificates, all of which were issued to companies from The Netherlands. The recall action was announced Wednesday. Affected clients have less than one week to install a new certificate. On January 28 the old certificates will be revoked and websites on which the certificate has not been replaced will refuse to load.
All clients of bNamed whose certificate has been recalled have been contacted by us. We are following up with them closely to make sure the installation is completed within the dead-line.
The recall affects only Extended Validation (EV) certificates and is caused by an actually very minor error in the original certificates. Sectigo included the province of the certificate owner as “jurisdiction”. In many countries this would be accurate, but according to Dutch law, the Netherlands is seen as one big jurisdiction for companies. So in theory the jurisdiction should just have been “The Netherlands”.
Sectigo found out about the error themselves and has spontaneously started this recall. That such a small error can start such a major recall with short dead-line might seem strange. But the whole certificate business is on their toes after the thumbscrews were put on Symantec about two years ago. Symantec was originally considered “too big to fail”, but after a couple of mistakes had not been resolved promptly, they were no longer seen as trustworthy by the major browser vendors and were forced to sell their certificate business altogether.