[agwa]

They "lint" certificates before issuance, as do most CAs. However, I don't think any linters check for this problem, as it requires access to more than just the certificate (the linter would need access to either the precertificate or a database of Certificate Transparency log keys).

[mcpherrinm]

We will add a lint to Boulder for precertificate and certificate correspondence to ensure this class of problem never happens again.

It would be nice to add this to Zlint, but we'd need a new interface that could be given both a precertificate and certificate to co-lint. Other than this one correspondence check, I'm not sure if there's any other lints that would fit that pattern.

[pabs3]

Are these linters open source?

[agwa]

Yup, the two most popular are:

https://github.com/zmap/zlint

https://github.com/certlint/certlint

They each have their strengths and weaknesses, so CAs are advised to use both.