DigiCert is revoking many TLS certificates due to a domain validation issue, which could cause disruptions to websites, applications and services.
The certificate authority (CA) informed customers on July 29 of a “revocation incident” related to CNAME-based domain validation, saying that it needs to revoke some certificates within 24 hours due to strict CA/Browser Forum (CABF) rules.
The issue is related to the process used to validate that a customer requesting a certificate for a domain is actually the owner or administrator of that domain. One option is for the customer to add a DNS CNAME record with a random value provided by DigiCert to their domain. The value added by the customer to the domain must match the value provided by DigiCert in order for domain ownership to be verified.
The random value provided by DigiCert was prefixed by an underscore character to prevent collisions between the value and the domain name. However, the company learned recently that the underscore prefix was not added in some cases.
“Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception,” DigiCert said.
The issue was apparently introduced in 2019 with a new validation system and it was discovered recently during an investigation triggered by someone’s inquiry into random values used for domain validation.
DigiCert said roughly 0.4% of applicable domain validations were impacted. While that is a small percentage, the number of affected certificates could be in the thousands considering that DigiCert is a major CA whose customers include a majority of Fortune 500 companies and top global banks.
SecurityWeek has reached out to DigiCert and will update this article if the company shares the number of impacted certificates.
DigiCert has made available some technical details related to the incident and it has provided step-by-step instructions for impacted customers, who have been notified that they need to replace certificates within 24 hours.
The US cybersecurity agency CISA has issued an alert urging DigiCert customers to check their account for any non-compliant certificates and to take action.
“Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication,” CISA said.
Related: AnyDesk Hacked: Revokes Passwords, Certificates in Response
Related: GitHub Revokes Code Signing Certificates Following Cyberattack
Related: Machine Identity Firm Venafi Readies for the 90-day Certificate Lifecycle
