DigiCert, a leading certificate authority, has announced a major security issue affecting thousands of SSL/TLS certificates due to a Domain Control Verification error. The problem was identified when it was discovered that DigiCert’s DNS-based verification process had a flaw: it failed to include an underscore prefix in CNAME records used for domain validation. This minor oversight has significant implications, impacting approximately 0.4% of domain validations conducted by the company. The error violates the CA/Browser Forum’s (CABF) Baseline Requirements, which mandate that such records must include an underscore in certain situations to prevent domain name collisions.
The CABF requirements are stringent, designed to ensure that domain validation is carried out properly and securely. By not adhering to these rules, DigiCert’s certificates were deemed non-compliant, prompting the need for immediate action. According to CABF regulations, any certificate found to be non-compliant must be revoked within 24 hours of discovery. This rule is in place to prevent potential security vulnerabilities and to maintain the integrity of the certification process. As a result, DigiCert has been forced to revoke all affected certificates within this tight timeframe.
DigiCert has moved quickly to address the issue, notifying all impacted customers and providing them with urgent instructions. Customers are advised to log into their DigiCert CertCentral accounts to identify and reissue or rekey their affected certificates. They must complete any additional required validation steps and install the new SSL/TLS certificates promptly. DigiCert has emphasized the critical nature of this action, as failure to replace the compromised certificates could result in disruptions to website security and operations.
The root cause of the problem has been traced back to changes made in DigiCert’s domain validation systems in August 2019. These changes, part of a modernization effort, inadvertently removed a crucial validation step, which went undetected due to limitations in the company’s regression testing procedures. DigiCert has apologized for any inconvenience caused and is committed to assisting its customers throughout the remediation process. The company is also reviewing its validation processes to prevent similar issues in the future and to enhance overall security measures.
Reference:
