Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
DigiCert announced they’ll revoke 83,267 SSL/TLS certificates impacting 6,807 subscribers due to an issue of DNS-based validation.
The Certificate Authority organization required the affected customers to reissue their certificates within 24 hours. Then set the deadline for August 3rd, to avoid disrupting critical services.
Why does DigiCert have to revoke 83,267 TLS certificates?
In the certificate issuing process for a domain, DigiCert validates the customer’s control or ownership over the domain name. For this, they use one of the methods approved by the CA/Browser Forum (CABF), which relies on the customer adding a DNS CNAME record. This CNAME record must include a random value that DigiCert has to provide.
After that, DigiCert does a DNS lookup for the domain and checks the same random value, which proves domain control by the customer.
One of the ways to add a DNS CNAME record with the random value requires the random value to be prefixed with an underscore character. This underscore prefix prevents the random value collides with an actual domain name that uses the same random value. What DigiCert discovered recently is that they failed to include the underscore prefix with the random value in some CNAME-based validation cases. This is the reason why they must now revoke all the impacted certificates.
DigiCert says there are few chances for that to happen, yet the validation process is considered non-compliant if it does not include the underscore prefix.
The organization fixed the code flaw that caused the underscore prefix oversight.
Who can ask for a delay in DigiCert revoking TLS certificates
DigiCert provided instructions on how to replace non-compliant TLS certificates and how to check if they are or not compliant.
Hence the short notice, customers complained that revocation of certificates will cause temporary disruptions to the websites, services, and applications that rely on them for safe communication.
We have identified 83,267 certs impacting 6,807 subscribers. We are planning to begin revoking within the 24-hour time window.
Some of these customers have been able to reissue their certificates. Unfortunately, many other customers operating critical infrastructure, vital telecommunications networks, cloud services, and healthcare industries are not in a position to be revoked without critical service interruptions.
Jeremy Rowley, DigiCert Chief Information Security Officer
Later, DigiCert said they have found a way to postpone revocations until August 3rd, but only under exceptional circumstances, to avoid critical services disruption.
To avoid disruption to critical services, we have engaged with browser representatives alongside these customers over the last several hours.
Based on these discussions, we are now in a position to delay revocations under exceptional circumstances.
If you have not replaced your certificates yet, please send an email to delayed-revocation-request@digicert.com with the following information immediately:
- CertCentral Account ID
- Exceptional circumstances requiring revocation delay
- Planned completion date, no later than Saturday, August 3rd 2024, 19:30 UTC
Source – DigiCert Status Update
CISA also issued an alert, on July 30th, urging DigiCert customers to check their DigiCert accounts for potentially non-compliant certificates.
