July 31, 2024 at 06:36AM
DigiCert is revoking TLS certificates due to a domain validation issue, affecting websites, applications, and services. The company needs to revoke certificates within 24 hours due to strict CA/Browser Forum rules. The issue was related to validating domain ownership using a DNS CNAME record. Roughly 0.4% of domain validations were affected, prompting CISA to urge action.
Based on the meeting notes, here are the key takeaways:
1. DigiCert is facing a revocation incident due to a domain validation issue, which impacts TLS certificates. This could potentially cause disruptions to websites, applications, and services.
2. The issue is related to the validation process for certificate requests, where the verification is done through DNS CNAME records with a random value provided by DigiCert. However, in some cases, the random value was not prefixed by an underscore as intended, leading to the validation issue.
3. DigiCert is taking proactive measures to address the situation, including revoking impacted certificates within the 24-hour timeframe mandated by strict CA/Browser Forum rules.
4. The impact is estimated to affect roughly 0.4% of applicable domain validations, which could translate to thousands of affected certificates given DigiCert’s significant customer base that includes Fortune 500 companies and top global banks.
5. Impacted customers have been notified and provided with technical details and step-by-step instructions to replace the affected certificates within the required timeframe.
6. The US cybersecurity agency CISA has issued an alert advising DigiCert customers to check for non-compliant certificates and take necessary action to prevent disruptions.
These takeaways provide a clear understanding of the situation and the actions being taken to mitigate the potential disruptions caused by the certificate revocation incident.