DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

Jul 31, 2024Ravie LakshmananWeb Security / Compliance

Certificate authority (CA) DigiCert has issued a warning that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight in the verification process of domain ownership for digital certificates. The company stated that certificates lacking proper Domain Control Validation (DCV) will be revoked.

DigiCert validates a customer’s control over a domain name before issuing a certificate by using approved methods from the CA/Browser Forum (CABF). One of these methods involves setting up a DNS CNAME record with a random value provided by DigiCert, which is then verified through a DNS lookup to ensure consistency.

The issue arose from a failure to include an underscore prefix with the random value in some CNAME-based validation cases. This omission was a result of architectural changes made in 2019 that inadvertently removed the code responsible for adding the underscore prefix.

Despite implementing a new random value generation process in June 2024, the company failed to compare it against the legacy system, leading to the discovery of the non-compliance issue only recently.

Approximately 0.4% of domain validations are affected by this incident, impacting 83,267 certificates and 6,807 customers. DigiCert advised affected customers to replace their certificates promptly by following the reissuance process after passing DCV.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert highlighting potential disruptions to websites, services, and applications due to the revocation of these certificates.

For more exclusive content, follow us on Twitter  and LinkedIn.