DigiCert to Revoke Certain SSL/TLS Certificates Due to Domain Validation Issue

Summary of the Issue

DigiCert has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an error in their domain validation process. The company identified that it had not properly verified the ownership of certain domains before issuing certificates.

You might be interested in: HotPage Malware Exploits Kernel Driver on Windows Systems

What Happened?

Before issuing a certificate, DigiCert must verify that the customer controls or owns the domain name. This verification is done using methods approved by the CA/Browser Forum (CABF). One such method involves setting up a DNS CNAME record with a random value provided by DigiCert, which is then checked to ensure it matches the domain in question.

However, DigiCert found that in some cases, the random value did not include the required underscore prefix. This prefix is essential to prevent conflicts with actual subdomains using the same random value.

Root Cause of the Problem

The issue started in 2019 when DigiCert made several changes to its system architecture. During this update, the code responsible for adding the underscore prefix was removed and only partially reinstated. One path in the updated system neither added the prefix automatically nor checked if the random value had it.

The error was not detected during the system review and regression testing phases, as the tests focused on workflows and functionality rather than the content structure of the random values. The company admitted that they did not compare the old and new random value implementations thoroughly, which would have revealed the missing prefix issue.

Recent Developments

On June 11, 2024, DigiCert revamped its random value generation process to eliminate the need for manual prefix addition. However, the change was not compared against the old system’s underscore prefix flow, leading to the ongoing problem.

The issue came to light a few weeks ago when a customer pointed out the problem with the random values used in validation. A deeper review followed, revealing that approximately 0.4% of domain validations were affected, impacting 83,267 certificates and 6,807 customers.

Recommended Actions for Affected Customers

Customers with affected certificates are advised to act quickly:

1. Log into your DigiCert account.
2. Generate a new Certificate Signing Request (CSR).
3. Reissue your certificates after passing the Domain Control Validation (DCV).

Potential Impacts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that the revocation of these certificates might cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication.

For more information and updates, customers should monitor communications from DigiCert and follow their recommended steps to mitigate any disruptions.