[DBWG] Nonconformant X.509 issuer+subject names in some Afrinic RPKI CA/EE certs

Yogesh Chadee yogesh at afrinic.net
Mon Dec 15 02:45:20 UTC 2025 

Dear Mr Snijders,

I hope this email finds you well.

While we understand that a quick resolution is favourable for everyone, 
we believe it would be wise to ensure Certificate holders are aware of 
the issue first. Re-issuing a Certificate of a person who is unaware of 
the situation, without prior consent, could have undesired consequences.

If this method does not yield the desired results, AFRINIC will then 
consider a quicker resolution, having completed the necessary 
information campaign.

Thank you for your patience and understanding. We hope this issue will 
soon be behind us.

Regards,

AFRINIC

On 12/12/2025 18:49, Job Snijders wrote:
> Dear AFRINIC,
>
> On Fri, Dec 12, 2025 at 03:24:46PM +0400, Yogesh Chadee via DBWG wrote:
>> AFRINIC has taken note of this matter. For the sake of clarity, a fix
>> was applied in June 2024 and the number of non-compliant X.509 RPKI
>> Certificates at AFRINIC has dropped since.
> I wish to express my appreciation for all the work that has gone into
> the restoration effort so far. Thank you for applying a fix to prevent
> issues going forward.
>
>> To accelerate the depletion of non-conformant X.509 RPKI Certificates
>> at AFRINIC, AFRINIC will:
>>
>> 1. Publish an article online about this matter and detail the steps for an
>> end user to revoke a non-compliant X.509 RPKI Certificate;
>> 2. Use its usual communication channels to its Members and the Community to
>> raise awareness on the matter; and
>> 3. Open a Helpdesk to aid end users.
>>
>> We hope this will soon put this issue behind us.
>  From the above, it seems like it will be incumbent upon the affected
> resource holders to delete their ROAs and recreate all their ROAs. Am I
> understanding this correctly?
>
> Would it not be more convenient for everyone involved (and less prone to
> error), if AfriNIC, as operator of the Certification Authorities, takes
> upon itself the task of reissuing non-compliant ROAs?
>
> Kind regards,
>
> Job

More information about the DBWG mailing list