July 30, 2024 at 11:08AM
DigiCert is warning of mass-revoking SSL/TLS certificates due to a bug in domain verification, affecting around 0.4% of certificates issued between August 2019 and June 2024. The bug, involving the absence of an underscore in CNAME records, could lead to security risks. DigiCert has taken corrective actions and impacted customers must reissue certificates within 24 hours.
Based on the meeting notes, the key takeaways are:
– DigiCert is mass-revoking SSL/TLS certificates due to a bug in domain verification, affecting approximately 0.4% of domain validations conducted between August 2019 and June 2024.
– The bug was related to the absence of the underscore prefix in the random value used for domain validation, posing a potential security risk.
– DigiCert has already taken corrective actions, including consolidating random value generators, simplifying user experience, and expanding test coverage for compliance-based scenarios.
– Impacted customers are required to log in to their DigiCert CertCentral account, identify impacted certificates, generate a new Certificate Signing Request (CSR) for the domain, and conduct another Domain Control Verification to reissue certificates.
– Failure to complete the reissuance process before the 24-hour deadline for revoking impacted certificates will result in a loss of connectivity for the website or application.
Please let me know if you need any further details or additional information.