Certificate authority (CA) DigiCert has announced it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight in the verification process to ensure certificates are issued to the rightful domain owners. The affected certificates lack proper Domain Control Validation (DCV).
DigiCert typically validates a customer’s control over a domain using methods approved by the CA/Browser Forum (CABF). One such method involves the customer setting up a DNS CNAME record with a random value provided by DigiCert. The company then performs a DNS lookup to verify the values match.
The random value is prefixed with an underscore character to prevent potential collisions with actual subdomains using the same value. However, DigiCert found that, in some CNAME-based validation cases, the underscore prefix was missing due to changes made to their system starting in 2019. These changes removed the code that automatically added the underscore prefix, and this was not caught during cross-functional reviews or regression testing.
On June 11, 2024, DigiCert updated its random value generation process, eliminating the manual addition of the underscore prefix. However, they again failed to compare this update against the legacy system, resulting in the same oversight. The non-compliance issue was discovered several weeks ago when a customer reported inconsistencies in the random values used for validation, prompting a deeper review.
The issue affects approximately 0.4% of applicable domain validations, impacting 83,267 certificates and 6,807 customers. Notified customers are advised to replace their certificates as soon as possible by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing the certificates after passing DCV.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the situation, warning that the revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on them for secure communication.