.webp "DigiCert to Revoke Thousands of Certificates Due to Domain Validation Error")
DigiCert, a well-known digital certificate provider, recently made headlines after announcing the revocation of thousands of certificates due to a domain validation error. This decision came in the wake of a critical flaw discovered in their Domain Control Validation (DCV) process, impacting roughly 0.4% of the certificates they had issued.
The company took swift action to comply with the CA/Browser Forum (CABF) rules, which require the revocation of non-compliant certificates within 24 hours of detection. The issue stemmed from a missing underscore prefix in some DNS CNAME records, crucial for avoiding collisions with actual domain names when validating random values.
DigiCert attributed this oversight to the recent overhaul of their validation systems, where the legacy system automatically added the underscore but the new architecture failed to do so in certain scenarios. Acknowledging the mistake, DigiCert has been working diligently to rectify the situation and notify affected customers promptly.
Impacted customers were instructed to replace their certificates within the 24-hour timeframe. DigiCert provided detailed guidance on reissuing certificates through their CertCentral account, including generating new Certificate Signing Requests (CSR) and completing any necessary validation steps. For users of certificate management solutions like Trust Lifecycle Manager, specific instructions were available to automate the replacement process.
To prevent similar incidents in the future, DigiCert outlined several preventive measures, such as consolidating and reviewing all random value generators across DCV, simplifying the user experience by eliminating the need for specific random value formats, and embedding compliance team members in all Certificate Authority (CA) and Registration Authority (RA) sprint teams. The company also plans to increase test coverage with compliance-based automated test cases and open-source DCV for community review.
DigiCert emphasized its commitment to maintaining high standards of security and compliance, taking immediate corrective action to address the issue and prevent its recurrence. By doing so, they aim to uphold the trust and reliability of their digital certificates among customers and partners.
Overall, this incident underscores the importance of rigorous validation processes in ensuring the integrity and security of digital certificates. As cyber threats continue to evolve, it is crucial for certificate providers to stay vigilant and proactive in mitigating potential vulnerabilities and safeguarding the digital ecosystem.