July 30, 2024 at 09:41PM
DigiCert has identified a 5-year-old software error in its backend, prompting the revocation of SSL/TLS certificates for about 0.4% of domains it validates. Customers must replace these certificates within 24 hours due to a bug in validation, whereby an underscore was not added to challenge values. DigiCert is reissuing certificates and providing support to affected customers.
From the provided meeting notes, it appears that DigiCert has encountered a significant issue with the validation process for SSL/TLS security certificates. Due to a long-standing bug in the backend software, certificates issued through a particular validation method need to be revoked and replaced. This affects approximately 0.4% of domain validations conducted by DigiCert.
The bug in question involves the process of verifying domain ownership through DNS CNAMEs and random digits, where an underscore was not consistently utilized as part of the validation process. DigiCert’s failure to enforce the underscore requirement as per the rules of the CA/Browser Forum led to the issuance of technically untrustworthy certificates. The company has acknowledged this oversight and is taking steps to rectify the situation.
In terms of rectification, DigiCert has outlined the steps for impacted customers to reissue their certificates. This involves logging into their CertCentral account, identifying affected certificates, generating a new Certificate Signing Request (CSR), and completing any additional required validation steps before installing the reissued SSL/TLS certificate.
Additionally, affected customers have been notified and are encouraged to contact their DigiCert account managers or call the support hotline at +1 801-770-1718 for further assistance.
Overall, the revocation and reissuance of these certificates is being guided by a commitment to ensuring the integrity and trustworthiness of the SSL/TLS security certificates issued by DigiCert.