DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight
31-July-24
Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.
The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation(DCV). One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same. The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actual subdomain that uses the same random value.
What the Utah-based company found was that it had failed to include the underscore prefix with the random value used in some CNAME-based validation cases.
The issue has its roots in a series of changes that were enacted starting in 2019 to revamp the underlying architecture, as part of which the code adding an underscore prefix was removed and subsequently “added to some paths in the updated system” but not to one path that neither added it automatically nor checked if the random value had a pre-appended underscore. “DigiCert continues to actively engage with customers impacted by this incident and many of them have been able to replace their certificates,” the company said. “Some customers have applied for a delayed revocation due to exceptional circumstances and we are working with them on their individual situations. We are no longer accepting any applications for delayed revocation.”
These include customers operating critical infrastructure, who it said, “are not in a position to have all their certificates reissued and deployed in time without critical service interruptions.” It further noted that all impacted certificates, regardless of circumstances, will be revoked no later than August 3, 2024, 7:30 p.m. UTC.
