DigiCert, a leading digital certificate provider, has announced the revocation of thousands of certificates due to a domain validation error.
This decision follows the discovery of a critical issue in their Domain Control Validation (DCV) process, which has affected approximately 0.4% of their issued certificates.
The company is taking swift action to comply with the CA/Browser Forum (CABF) rules, which mandate the revocation of non-compliant certificates within 24 hours.
The Issue: Missing Underscore Prefix
The problem arose from an omission in the DCV process: Some DNS CNAME records did not include the required underscore prefix.
This prefix is crucial to ensure that the random value used for validation does not collide with actual domain names.
DigiCert’s recent modernization of its validation systems inadvertently led to this oversight. The legacy system automatically added the underscore, but the new architecture failed to do so in certain scenarios.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
CABF Baseline Requirements, any non-compliance in domain validation necessitates immediate revocation of the affected certificates. DigiCert has acknowledged this lapse and is working diligently to rectify the situation.
Impacted customers have been notified and are required to replace their certificates within 24 hours. DigiCert has provided detailed instructions for reissuing certificates through their CertCentral account.
Customers must log in, identify the impacted certificates, generate a new Certificate Signing Request (CSR), and complete any additional validation steps.
Specific instructions are available to automate the replacement process for those using a certificate management solution like Trust Lifecycle Manager.
DigiCert has assured customers that their support team is ready to assist with any questions or issues related to the issuance process. Customers can contact their account manager or reach out to DigiCert Support directly.
Preventive Measures and Future Actions
In response to this incident, DigiCert has outlined several preventive measures to avoid similar issues in the future. These include:
- Consolidation and review of all random value generators across DCV.
- Simplification of the user experience to eliminate the need for customers to know specific random value formats.
- Embedding compliance team members in all Certificate Authority (CA) and Registration Authority (RA) sprint teams.
- Increasing test coverage with compliance-based automated test cases.
- Open-sourcing DCV for community review.
DigiCert is committed to maintaining the highest standards of security and compliance. The company has taken immediate steps to address the issue and prevent its recurrence, ensuring its digital certificates’ continued trust and reliability.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo