DigiCert Revokes TLS Certificates Due To Verification Issue

The mass revocation comes on the heels of Google's recent ban of Entrust certs.

Certificate Authority (CA) organization DigiCert, recently said it is revoking TLS certificates without proper Domain Control Verification (DCV).

DigiCert sent customers a message which it shared with MES Computing, about the issue and how they can remediate:

"We're writing to inform you that DigiCert must revoke your certificates, no later than JULY 30, 2024, at 19:30 UTC.

To avoid disruption, you must reissue/rekey and reinstall the impacted certificates before they are revoked no later than JULY 30, 2024, at 19:30 UTC."

The company cited the reason in a post on its site, "We did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception."

The revocation got the attention of the federal government, with the U.S. Cybersecurity & Infrastructure Security Agency issuing a statement.

From CISA's website as of July 30:

"DigiCert, a certificate authority (CA) organization, is revoking a subset of transport layer security (TLS) certificates due to a non-compliance issue with domain control verification (DCV). Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication. DigiCert has notified affected customers and provided instructions on how to replace non-compliant certificates."

For customers that are not able to re-issue their certificates by DigiCert's deadline, the company is attempting to make accommodations:

"We have been actively engaged with impacted customers, many of whom have been able to reissue their certificates. However, there are a number of customers operating critical infrastructure and are not in a position to have all their certificates reissued and deployed in time, without critical service interruptions. To avoid disruption to critical services, we engaged with key stakeholders in the web PKI community alongside these customers yesterday, and based on these discussions, we are delaying revocations under exceptional circumstances but still on a very tight timeline. We are still actively processing delay requests for these exceptional circumstances," DigiCert told MES Computing in a statement.

However, DigiCert also said: "All certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC."

DigiCert is one of the world's leading CAs issuing SSL/TLS certificates according to Gartner and other sources. Its CEO, Amit Sinha, took to LinkedIn to "apologize to our customers and partners that may be impacted in the next 24 hours."

"To our impacted customers and partners: You have my commitment that we have and will continue to improve our systems and processes with UX simplification, proactive compliance reviews, and improved test coverage to reduce such errors. We will also work with you on leveraging Trust Lifecycle Manager-based automation to make replacement of expired or revoked certificates a non-event.," his post continued, in part.

This all comes on the heels of Google's ban on Entrust's public-facing TLS certificates. In early July, Google put the hammer on Entrust certs saying, "Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust," and that those reports "eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner."

In a statement to MES Computing on whether the revocation could cause Google to take similar action against DigiCert, DigiCert said that it "is taking a transparent approach with the web PKI community to coordinate the appropriate actions and information so that what happened with Entrust does not happen with DigiCert."

"While unfortunate, the DigiCert SSL/TLS certificate bug points to the need for comprehensive auditing at all steps of the domain certification process. For certificate authorities (CA), consistency and oversight are integral to security, and must be a continuous practice. And automation of certificate management can be a valuable friend to companies, especially those that need to remain public CA agnostic," said Chris Hickman, CSO of Keyfactor – an identity-first security solution for enterprises.

Hickman also weighed on whether Google would take action against DigiCert. "This incident also follows closely on the heels of Entrust's certificates no longer being trusted by Google, underscoring the important role that CAs have when it comes to minding the quality of SSL/TLS certificates issued from the publicly rooted providers. Will Google take action following this bug like they did with Entrust? That remains to be seen. Regardless, organizations need to prioritize an airtight audit process and management of certificates across their entire software ecosystems," he added.

Though not an official CA, Keyfactor offers services that compete with DigiCert's offerings.

DigiCert also detailed how customers could reissue and reinstall their revoked certs in a post.