DigiCert, a major certificate authority, to revoke thousands of SSL/TLS certificates because of a Domain Control Verification error. This could affect a lot of websites.
The company discovered that an oversight in the DNS-based verification process affected approximately 0.4% of its applicable domain validations.
The problem stems from DigiCert’s failure to include an underscore prefix in the random value used for CNAME-based domain validation.
.png
)
The oversight is minor, but it breaks the strict rules set by the CA/Browser Forum (CABF) for verifying domain control properly.
The CABF Baseline Requirements mandate that when using DNS CNAME records for domain validation, the random value must be prefixed with an underscore character in certain cases.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
This requirement ensures that the validation subdomain cannot collide with an actual domain name, even though the chances of such a collision are extremely low.
DigiCert has notified affected customers, who must now replace their certificates within 24 hours. This urgent timeline is due to CABF rules that require non-compliant certificates to be revoked within 24 hours of discovery, without exception.
“Any issue with domain validation is considered a serious issue by CABF and requires immediate action. Failure to comply can result in a distrust of the Certificate Authority. As such, we must revoke all impacted certificates within 24 hours of discovery. No extensions or delays are permitted. We apologize if this causes a business disruption to you and are standing by to assist you with validating your domain and issuing replacement certificates immediately,” Digicert said.
Impacted customers are advised to:
- Log in to their DigiCert CertCentral account
- Identify affected certificates
- Reissue or rekey the impacted certificates
- Complete any additional required validation steps
- Install the newly issued SSL/TLS certificates
DigiCert traced the issue back to changes made in their domain validation systems in August 2019. The company’s modernization efforts inadvertently removed a crucial step in its validation process, which went undetected due to limitations in its regression testing.
How to check for Certificate Revocation
Certutil Command-Line Tool: Available on Windows, this tool can verify certificates and CRLs.
certutil -f -urlfetch -verify mycertificatefile.cerSending an OCSP Request: Use a tool like OpenSSL to send an OCSP request to the URL obtained in the previous step:
openssl ocsp -issuer issuer.crt -cert cert.crt -url <OCSP_URL>
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
