Certificate authority (CA) DigiCert has warned that it will revoke a subset of its SSL/TLS certificates within 24 hours due to flaws in the way it verifies whether digital certificates were issued to legitimate domain owners.
The company said it will take steps to revoke certificates that do not have proper Domain Control Validation (DCV) in place.
“Prior to issuing a certificate to a customer, DigiCert will use one of several CA/Browser Forum (CABF) approved methods to verify control or ownership over the domain name for which the customer is requesting a certificate,” the company said.
One way this is accomplished is for customers to set up a DNS CNAME record that contains a random value provided by DigiCert, after which DigiCert will perform a DNS lookup for the domain in question to verify that the random value is the same.
According to DigiCert, the random value is preceded by an underscore character to prevent collisions with actual subdomains that use the same random value.
What the Utah-based company discovered was that the random values used in some CNAME-based validation cases did not include an underscore prefix.
The issue stems from a series of changes put into place starting in 2019 to revamp the underlying architecture, as part of which the code that added the underscore prefix was removed and then “added to some paths in updated systems,” but not to one path that was neither added automatically nor checked to see if the random value had an underscore pre-pended.
“The omission of the automatic underscore prefix was not discovered during the cross-functional team review conducted prior to the deployment of the updated system,” DigiCert said.
“We had regression testing in place, but we were unable to inform functionality changes because the scope of regression testing was limited to workflow and functionality, not the content/structure of random values.”
“Unfortunately, no review was conducted to compare the legacy random value implementation with the new system’s random value implementation for all scenarios. Had these evaluations been conducted, we would have discovered sooner that the system was not automatically adding an underscore prefix to random values when required.”
Then, on June 11, 2024, DigiCert announced that within the scope of a user experience enhancement project, it had revamped its random value generation process to eliminate the manual addition of the underscore prefix, but again admitted that it was unable to “compare this UX change to the underscore flow of the legacy system.”
The company said the non-compliance issue was contacted by an anonymous customer “several weeks ago” regarding the random values used in validation, and wasn’t discovered until a more detailed investigation was conducted.
Additionally, the incident affected approximately 0.4% of affected domain validations, with an update to the associated Bugzilla report indicating that 83,267 certificates and 6,807 customers were affected.
Customers who are notified are encouraged to replace their certificates as soon as possible by signing in to their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing the certificates after they pass DCV.
In response to this incident, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning, saying that “the revocation of these certificates may cause temporary disruptions to websites, services, and applications that rely on these certificates for secure communications.”
