Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

DigiCert Revoking Many Certificates Due to Verification Issue

DigiCert is immediately revoking many certificates due to a domain validation issue, which could cause disruption to sites, apps and services.

DigiCert is revoking many TLS certificates due to a domain validation issue, which could cause disruptions to websites, applications and services.

The certificate authority (CA) informed customers on July 29 of a “revocation incident” related to CNAME-based domain validation, saying that it needs to revoke some certificates within 24 hours due to strict CA/Browser Forum (CABF) rules.

The issue is related to the process used to validate that a customer requesting a certificate for a domain is actually the owner or administrator of that domain. One option is for the customer to add a DNS CNAME record with a random value provided by DigiCert to their domain. The value added by the customer to the domain must match the value provided by DigiCert in order for domain ownership to be verified.

The random value provided by DigiCert was prefixed by an underscore character to prevent collisions between the value and the domain name. However, the company learned recently that the underscore prefix was not added in some cases.

“Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception,” DigiCert said.

The issue was apparently introduced in 2019 with a new validation system and it was discovered recently during an investigation triggered by someone’s inquiry into random values used for domain validation.  

Advertisement. Scroll to continue reading.

DigiCert said roughly 0.4% of applicable domain validations were impacted. While that is a small percentage, the number of affected certificates could be in the thousands considering that DigiCert is a major CA whose customers include a majority of Fortune 500 companies and top global banks.  

SecurityWeek has reached out to DigiCert and will update this article if the company shares the number of impacted certificates.

DigiCert has made available some technical details related to the incident and it has provided step-by-step instructions for impacted customers, who have been notified that they need to replace certificates within 24 hours. 

The US cybersecurity agency CISA has issued an alert urging DigiCert customers to check their account for any non-compliant certificates and to take action. 

“Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication,” CISA said.

Related: AnyDesk Hacked: Revokes Passwords, Certificates in Response

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Machine Identity Firm Venafi Readies for the 90-day Certificate Lifecycle

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.