Certificate authority (CA) DigiCert has announced the revocation of approximately 0.4% of its customer base's SSL/TLS certificates following the discovery of a flaw in its domain control verification process. The issue specifically affects certificates verified through CNAME DNS entries, where a bug led to the omission of a mandatory underscore character in the random verification string, thereby violating industry standards.
The affected certificates were issued between August 2019 and June 2024. DigiCert has urged impacted customers to reissue their certificates within 24 hours to avoid any disruptions.
DigiCert, known for providing Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates, uses several methods to verify a customer's control or ownership of a domain before issuing a certificate. One such method involves customers adding a DNS CNAME record containing a random value provided by DigiCert. This random value is supposed to be prefixed with an underscore character to prevent any potential collision with actual domain names.
In August 2019, a system update inadvertently removed the automatic addition of the underscore prefix in some validation paths. This oversight went unnoticed until June 2024, when a user-experience enhancement project consolidated multiple random value generation microservices into a single service. This update reintroduced the underscore prefix and simplified the process, thereby reducing customer support calls and fixing display bugs in DigiCert’s CertCentral platform.
The issue was brought to DigiCert's attention several weeks ago through a problem report email. Although the reporter did not provide specific certificate serial numbers, DigiCert's preliminary investigation, followed by further scrutiny upon external guidance, revealed the validation flaw.
“Recently, we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception,” DigiCert said in a blog post.
To prevent similar incidents from occurring in the future, the company took preventive measures, including consolidation and review of all random value generators across DCV; UX simplification so customers do not need to know about specific random value formats based on their choice of DCV method; compliance team members will be embedded in all Certificate Authority (CA) and Registration Authority (RA) sprint teams (including design/architecture reviews) and will review all applicable changes; increasing test coverage beyond functional testing in all validation workflows with compliance-based automated test cases; opening source DCV for community review.