I have this general question:
I run a SSL Labs report against a site and found the site was missing its intermediate certificate, and the report showed it has a serial number of X.
So, I searched the web for that certificate's name (not serial number) and found it on the CA's formal certificates page, but that certificate is had a *different" serial number, of say Y....
Looking into the audited site's certificate, I saw that the field of "Authority Information Access" (AIA) has a link to download the intermediate certificate (a different URL from the one the CA officially published as mention above) and when I downloaded the intermediate certificate from that link, it had a serial number of X.
This is, I guess, how the SSL Labs report "knew" to report the serial number of the missing intermediate certificate.
So this led me to realize that the CA issued two, almost identical, intermediate certificates, with even the same exact "not before" and "not after" data and time stamps.
I reported that to the the CA and they thanked me for letting them know that they did not updated the content of the AIA url file to actually include the newer version of the intermediate certificate.
To my question why two, very similar, intermediate certificates were issued, they replied:
The only difference (other than SN and Thumbprint) between these 2 certificates is in the EKU value. Our engineering team confirmed that we sometimes re-issue ICAs with slightly modified extension values if we find an application that requires it
So my question is - AFAIK root and intermediate certificates should be very unique and not re-issue / duplicated / "have a twin", so what can be a legit reason for a CA to do such a move?
Thank you in advance!