2024-08-01
DigiCert Revokes Certificates Lacking Sufficient Domain Control Verification
On Monday, July 29, DigiCert announced that due to a flaw in their Domain Control Verification (DCV) process, they would be revoking some certificates. Certification Authority / Browser Forum (CABF) rules require that the problematic certificates be revoked within 24 hours of the problem’s detection. While DigiCert’s write-up of the situation includes instructions for replacing affected certificates, the deadline for replacing the certificates has passed. The issue affected 83,267 certificates belonging to 6,807 customers, roughly 0.4%of all DigiCert’s certificates.
Editor's Note
DigiCert's violation of the CA rules are relatively minor, and highly unlikely to cause issues. However, mass revocations like this can be disruptive for affected entities. One DigiCert customer obtained a court order to delay the revocation. The "CA ecosystem" has been the source of the most significant vulnerabilities in TLS in recent years. Compared to weaknesses in TLS algorithms and implementations, CA vulnerabilities have been exploited regularly. In response, the CA/Browser forum established very strict rules around verifying domain control. Seeing them enforce these rules is a good thing, but I don't think customers are ready for it yet. Expect more revocation actions like this in the future, and get a handle on how you manage the certificate lifecycle.
Johannes Ullrich
DC validation is one where they have you create a CNAME DNS record with a specific random value which they used to verify the domain was, indeed, yours. The problem is the random value didn't always start with an underscore, required by RFC1034, which meant it could collide with a legitimate CNAME. The flaw was introduced in a software update back in August 2019, which is now fixed. If you're a DigiCert user, you should have been notified that your cert was going to be revoked, and you needed to take action. The due date was July 31, 1930 UTC. Either check your account for certificate status or do a revocation check on existing DigiCert certificates if you're not certain this was addressed. While there was a delay option prior to the cutoff, if you're revoked the only option is to replace those certificates.
Lee Neely
This is a good example of a Certificate Authority having a process in place and then actually taking action if a problem occurs. It is also a good test to see if your authentication processes will actually notice that certificates have been revoked …
John Pescatore
Many people got hit with a short notice request to emergency swap their certificates. Be kind to your IT folks between this and the CrowdStrike fiasco; they have been kicked enough this month. For people leaders, how are you managing your individual people contributor’s burnout? Watch for it, as there have been a lot of people running around the last month putting out different fires.
Moses Frost
Read more in
DigiCert: DigiCert Revocation Incident (CNAME-Based Domain Validation)
Security Online: DigiCert Revokes Certificates: What You Need to Know
The Register: More than 83K certs from nearly 7K DigiCert customers must be swapped out now
Security Week: DigiCert Revoking 83,000 Certificates of 6,800 Customers
Bleeping Computer: DigiCert to delay cert revocations for critical infrastructure