DigiCert has announced that they will revoke 83,267 SSL/TLS certificates impacting 6,807 subscribers due to an issue of DNS-based validation.
DigiCert says the affected customers will be reissued with their certificates within 24 hours. Then, we set the deadline for August 3rd to avoid disrupting critical services.
In the process of the certificate issuing to the domain, DigiCert validates the customer’s control or ownership over the domain name. For this, they use one of the methods approved by the CA/Browser Forum (CABF), which relies on the customer adding a DNS CNAME record. This CNAME record must include a random value that DigiCert has to provide.
After which, DigiCert does a DNS lookup for the domain and checks the same random value, which proves domain control by the customer.
One of the ways to add a DNS CNAME record with the random value requires the random value to be prefixed with an underscore character. This underscore prefix prevents the random value collides with an actual domain name that uses the same random value. DigiCert discovered recently is that they failed to include the underscore prefix with the random value in some CNAME-based validation cases.
Due to the above reason, they must now revoke all the impacted certificates.DigiCert says there are few chances for that to happen, yet the validation process is considered non-compliant if it does not include the underscore prefix.
DigiCert fixed the code flaw that caused the underscore prefix oversight and provided instructions on how to replace non-compliant TLS certificates and how to check if they are or not compliant.
With this shorter time frame, customers complained that revocation of certificates will cause temporary disruptions to the websites, services, and applications that rely on them for safe communication.
DigiCert said they have found a way to postpone revocations until August 3rd, but only under exceptional circumstances, to avoid critical services disruption.
CISA has issued an alert urging DigiCert customers to check their DigiCert accounts for potentially non-compliant certificates.
