DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight
Summary:
DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert. This random value, prefixed with an underscore to prevent subdomain conflicts, is verified through a DNS lookup.
However, DigiCert discovered that it failed to include the underscore prefix in some cases due to changes made to the system starting in 2019. The oversight occurred because the updated system did not add or check for the underscore prefix in all validation paths. This issue was not identified during cross-functional reviews or regression testing, which focused on workflows rather than the content of the random value.
Security Officer Comments:
In June 2024, DigiCert revamped the random value generation process but failed to compare it against the legacy system’s underscore requirement. The non-compliance issue was discovered only recently when a customer raised concerns about the random values used in validation. Approximately 0.4% of domain validations are affected, impacting 83,267 certificates and 6,807 customers. DigiCert has advised notified customers to replace their certificates immediately by signing into their accounts, generating a Certificate Signing Request (CSR), and reissuing the certificates after passing DCV.
Suggested Corrections:
CISA urges DigiCert customers to check their DigiCert account to view any non-compliant certificates and reissue/rekey certificates. See DigiCert’s Revocation Incident Notice for customer instructions and more information.
Link(s):
https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html
DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert. This random value, prefixed with an underscore to prevent subdomain conflicts, is verified through a DNS lookup.
However, DigiCert discovered that it failed to include the underscore prefix in some cases due to changes made to the system starting in 2019. The oversight occurred because the updated system did not add or check for the underscore prefix in all validation paths. This issue was not identified during cross-functional reviews or regression testing, which focused on workflows rather than the content of the random value.
Security Officer Comments:
In June 2024, DigiCert revamped the random value generation process but failed to compare it against the legacy system’s underscore requirement. The non-compliance issue was discovered only recently when a customer raised concerns about the random values used in validation. Approximately 0.4% of domain validations are affected, impacting 83,267 certificates and 6,807 customers. DigiCert has advised notified customers to replace their certificates immediately by signing into their accounts, generating a Certificate Signing Request (CSR), and reissuing the certificates after passing DCV.
Suggested Corrections:
CISA urges DigiCert customers to check their DigiCert account to view any non-compliant certificates and reissue/rekey certificates. See DigiCert’s Revocation Incident Notice for customer instructions and more information.
Link(s):
https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html