Certification authority (CA) DigiCert has warned that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in how it verifies that a digital certificate is issued to a legitimate domain owner.
The company said it will revoke certificates that do not have proper domain control checks (CVD).
“Before issuing a certificate to a customer, DigiCert verifies the customer’s control or ownership of the domain name for which it is requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF),” this said.
One way this is done depends on the client setting a DNS CNAME record which contains a random value provided to it by DigiCert, which then performs a DNS lookup on the corresponding domain to ensure that the random values match.
The random value for DigiCert is prefixed with an underscore character to prevent a possible collision with an actual subdomain that uses the same random value.
The Utah-based company discovered that it failed to include an underscore prefix with a random value used in some CNAME-based validation cases.
The problem stems from a series of changes introduced in 2019 to modernize the core architecture, in which the code that adds the underscore prefix was removed and subsequently “added to some paths in the updated system”, but not to a single path that added it automatically and didn’t check if the previously added underscore had a random value.
“The lack of an automatic underscore prefix was not discovered during cross-functional team reviews that occurred prior to the deployment of the updated system,” DigiCert said.
“Although we had regression testing, these tests did not alert us to a change in functionality because the regression tests covered workflows and functionality, not random value content/structure.”
“Unfortunately, no reviews have been done to compare the old implementations of random values with the implementations of random values in the new system for each scenario. If we had performed these evaluations, we would have known earlier that the system does not automatically prefix the underscore to the random value where necessary.”
Later on June 11, 2024, DigiCert stated that it had re-engineered the random value generation process and eliminated the manual addition of the underscore prefix as part of a user experience improvement project, but admitted that it was again unable to “compare this UX change to the underscore flow in the legacy system.” .
The company said it didn’t discover the problem with the discrepancy until “several weeks ago” when an unnamed customer reached out about the random values used in the validation, prompting a deeper review.
He also noted that the incident affects about 0.4% of eligible domain checks, which according to an update in the corresponding Bugzilla report, affects 83,267 certificates and 6,807 clients.
Notified customers are encouraged to replace their certificates as soon as possible by logging into their DigiCert accounts, creating a Certificate Signing Request (CSR) and reissuing them after passing DCV.
The event prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning that stating that “revocation of these certificates may cause temporary disruptions to websites, services, and applications that rely on these certificates for secure communication.”
