DigiCert Plans to Invalidate Over 83,000 SSL Certificates Due to Domain Validation Oversight
A Notice from Certificate authority (CA) DigiCert states that they will be annulling a group of SSL/TLS certificates within the next 24 hours due to an oversight in the validation process to ensure the correct domain ownership of a digital certificate.
The organization has declared its decision to revoke certificates that lack proper Domain Control Validation (DCV).
According to a company statement, “Before providing a certificate to a client, DigiCert verifies the client’s control or ownership of the domain name they are requesting a certificate for, using methods authorized by the CA/Browser Forum (CABF).”
One of the processes comprises the customer setting up a DNS CNAME record with a unique value supplied by DigiCert. This value is then used to confirm that the random values match following a DNS lookup on the specific domain.
As per DigiCert, the random value is initialized with an underscore character to prevent any collisions with legitimate subdomains that have the same random value.
DigiCert discovered that in some cases of CNAME-based validation, they had neglected to include the underscore prefix with the random value.
The problem originated from changes made in 2019 to revamp the core architecture. In this process, the code responsible for adding the underscore prefix was removed and later re-added to most parts of the updated system, excluding one area that neither automatically added the prefix nor checked for its existence with the random value.
DigiCert explained, “The omission of the underscore prefix was not identified during the team reviews conducted before the new system was deployed.”
“Despite having regression tests in place, these tests did not flag the change as they were designed to test workflows and functions, not the content or structure of the random value.”
“Regrettably, no reviews were carried out to compare the random value implementations between the legacy system and the new system for all scenarios. Had these comparisons been performed, DigiCert would have noticed sooner that the system was not automatically adding the underscore prefix where required.”
Consequently, on June 11, 2024, DigiCert revamped the random value generation process and removed the manual addition of the underscore prefix as part of a user-experience enhancement project. However, it acknowledged that they failed to compare this change with the underscore flow in the legacy system.
The issue was only brought to light “several weeks ago” when an anonymous customer raised concerns about the random values used in validation, prompting a thorough investigation.
DigiCert reported that approximately 0.4% of the domain validations were affected by this incident, translating to 83,267 certificates and 6,807 clients, according to an update on a related Bugzilla report.
Customers who have been informed are advised to replace their certificates promptly. This can be done by logging into their DigiCert accounts, creating a Certificate Signing Request (CSR), and reissuing the certificates upon passing DCV.
This development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, expressing that “the revocation of these certificates might result in temporary interruptions to websites, services, and applications reliant on these certificates for secure communication.”
About Author
