Certificate authority (CA) DigiCert has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership.
The company revealed that certificates lacking proper Domain Control Validation (DCV) will be revoked. “Before issuing a certificate, DigiCert validates the customer’s control or ownership over the domain name using several CA/Browser Forum (CABF) approved methods,” DigiCert explained.
One validation method involves the customer setting up a DNS CNAME record with a random value provided by DigiCert, which then performs a DNS lookup to verify the match. The random value is prefixed with an underscore to avoid conflicts with actual subdomains.
DigiCert discovered that it failed to include the underscore prefix in some CNAME-based validations due to changes in its system architecture starting in 2019. This oversight was not detected during cross-functional team reviews or regression testing.
The error came to light several weeks ago when a customer raised concerns about the random values used in validation. This issue affects approximately 0.4% of domain validations, impacting 83,267 certificates and 6,807 customers.
Affected customers are advised to replace their certificates by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing DCV. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, warning that the revocation may cause temporary disruptions to websites, services, and applications relying on these certificates.
NEWS: @digicert have been producing certs wrong in the past 5-years (!) and is prone to CNAME collision.
0.4% of customers affected, still potentially big impact for the internets.
You literally had one job, digicert…https://t.co/2yqHQJwPE8— dalmoz (@dalmoz_) August 1, 2024
DigiCert is actively working with impacted customers, including those operating critical infrastructure, to manage the reissuance process. However, all affected certificates will be revoked by August 3, 2024, 7:30 p.m. UTC.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.