Ddos 
SSL.com has disclosed an incident involving the mis-issuance of digital certificates due to an error in its Domain Control Validation (DCV) process. The issue stemmed from an incorrect implementation of the “Email to DNS TXT Contact” method, as specified in section 3.2.2.4.14 of the SSL.com Certification Practice Statement/Certification Policy (CP/CPS).
The incident led to a certificate being incorrectly issued to the hostname of the approver’s email address. Upon discovery of the flaw, SSL.com took immediate action, revoking the affected certificate, invalidating the relevant DCV record, and disabling the faulty DCV method until a solution could be implemented.
The flaw was disclosed through Bugzilla on April 18, 2025, when an automated alert reached SSL.com’s Security Auditor account. The company immediately launched an investigation and determined that a total of 11 certificates had been affected.
“After scanning the entire corpus of certificates issued with the above method, we identified ten (10) additional affected certificates that were mis-issued and have now been revoked.”
Each certificate was revoked within 24 hours of identification. Links to the revoked certificates have been made publicly available via crt.sh, including:
- https://crt.sh/?id=17926238129
- https://crt.sh/?id=13285324095
- https://crt.sh/?id=16304469933 (and others listed in the full disclosure)
The mis-issuance of the certificates represents a violation of SSL.com’s CP/CPS, specifically clauses related to:
- 3.2.2.4 Validation of Domain Authorization or Control: “SSL.com shall confirm that, prior to the date of Certificate issuance, SSL.com has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.”
- 3.2.2.4.14 Email to DNS TXT Contact: “SSL.com SHALL confirm the Applicant’s control over the FQDN by sending a Random Value via email and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to a DNS TXT Record Email Contact for the Authorization Domain Name selected to validate the FQDN.”
The report explicitly states this as “Validation not being done properly as stated in BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact).”
The incident was initially reported by a third party. SSL.com’s Security Auditor account received an automated email notification about the bug on 2025-04-18 18:42 UTC. SSL.com has committed to transparency and is processing this incident with the “utmost priority”. A full incident report is scheduled to be published on or before 2025-05-02.
SSL.com’s investigation revealed that, with one exception, previous certificates were issued using compliant DCV evidence. The mis-issuances occurred during the renewal or reissuance of certificates, and these affected certificates were revoked within 24 hours of identification. The report also clarifies that the issue did not affect Entrust’s systems and APIs.
SSL.com has acknowledged the community’s concerns and expressed gratitude to the security researcher who reported the issue, stating that they provided “sufficient and well-structured information.” SSL.com is committed to maintaining transparency throughout the ongoing investigation.
Donate