DigiCert Forced to Revoke Thousands of Certificates Due to Domain Validation Error

Leading digital certificate authority DigiCert has announced an urgent revocation of thousands of its SSL/TLS certificates due to a non-compliance issue in its domain control verification (DCV) process.

What Happened?

A technical oversight in DigiCert’s systems resulted in the omission of an underscore prefix in some DNS CNAME records used for domain validation. While this seemingly minor detail has a negligible impact on security, it violates strict industry standards set by the CA/Browser Forum (CABF). These standards mandate a 24-hour revocation period for any certificate with a domain validation issue, regardless of the severity.

Customer Impact and Action

Approximately 0.4% of DigiCert’s active certificates are affected. Impacted customers have been notified and are required to replace their certificates within 24 hours. DigiCert has provided instructions for reissuing certificates and is offering support to affected customers.

Customers should log into their CertCentral account to identify affected certificates and follow the reissue process:

1. Login to your CertCentral account and view the CNAME Revocation Incident banner when you first login to see impacted certificates.
2. Navigate to the Certificates > Orders page and locate your impacted certificates.
3. Generate a new Certificate Signing Request (CSR).
4. On each certificate’s Order # details page, in the Certificate actions dropdown, select Reissue certificate.
5. Complete any additional required validation steps.
6. Install your reissued SSL/ TLS certificate.

Technical Deep Dive

The issue stems from the specific format of CNAME records used in DNS-based domain verification. While there are multiple valid ways to add a CNAME record, one method requires an underscore prefix to prevent potential conflicts with actual domain names. DigiCert’s documentation failed to explicitly mention this requirement, leading to non-compliant validations.

DigiCert’s Response

DigiCert has acknowledged the error and is taking immediate steps to rectify the situation. They have consolidated and reviewed all random value generators, simplified the user experience for domain validation, and embedded compliance team members in development teams. Additionally, they are increasing test coverage and plan to open-source their DCV process for community review.

For DigiCert customers, the immediate priority is to replace any impacted certificates to avoid disruptions to their websites and services.

Related Posts:

• 23,000 HTTPS certificates in Trustico-DigiCert Spat were revoked due to compromise
• Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update