In a move that could cause some serious headaches for website administrators, DigiCert, a major digital certificate provider, is revoking thousands of SSL certificates due to a technical error in the company’s domain validation process.
DigiCert made the decision after discovering a critical issue in its Domain Control Validation (DCV) process, which affected approximately 0.4 per cent of their certificates issued. According to a statement issued by DigiCert, the issue stems from a missing underscore character that’s supposed to be included with a random value used during verification.
How Domain Validation Works
Before issuing an SSL certificate, DigiCert needs to confirm that the applicant actually owns the domain name they’re requesting a certificate for. They achieve this through a process called Domain Control Verification (DCV). One method used for DCV involves adding a specific record to the domain’s DNS settings, which contains a random value provided by DigiCert. By verifying the presence of this random value, DigiCert can confirm the applicant’s control over the domain.
There are a few ways to add this record, but one approach requires the random value to be prefixed with an underscore character. This seemingly minor detail ensures the random value can’t accidentally clash with an actual subdomain name. While the odds of such a collision are slim, the lack of an underscore is still considered a security risk under the guidelines set by the CA/Browser Forum (CABF).
DigiCert recently discovered that their system wasn’t consistently adding the underscore prefix to the random value in all CNAME-based DCV scenarios. This means some certificates were issued based on an incomplete validation process, violating the CABF requirements. As a result, DigiCert is forced to revoke all affected certificates within 24 hours to maintain trust and compliance.
DigiCert’s rapid response stands in contrast to compliance failures noted by Google in its decision to distrust certificates issued by Entrust.
What Caused the DigiCert Error?
According to DigiCert, the issue arose during a system upgrade they implemented in August 2019. The new system streamlined the validation process but, in the shuffle, the code responsible for adding the underscore prefix got left behind in the legacy system. This resulted in a situation where some validation paths included the underscore, while others didn’t.
Certificate Fixes for Customers
DigiCert estimates that roughly 0.4% of their active domain validations are affected by this error. Impacted customers have been notified and have a tight window of 24 hours to replace their revoked certificates. Here’s what you need to do if you’re a DigiCert customer:
- Check Your Notification: DigiCert should have sent you an email or notification within your account dashboard if any of your certificates are affected.
- Identify Revoked Certificates: Log in to your DigiCert account and locate the impacted certificates.
- Reissue Your Certificates: You’ll need to generate a new Certificate Signing Request (CSR) and reissue your certificates. DigiCert provides instructions on how to do this within their CertCentral platform.
- Install the New Certificates: Once reissued, install the new SSL certificates on your web server to restore secure communication.
Looking Ahead: Preventing Future Certificate Incidents
DigiCert has acknowledged the inconvenience this incident caused and is taking steps to prevent similar issues in the future. These measures include:
- Consolidating and Reviewing Random Value Generators: They’re streamlining their system to ensure consistent underscore prefix addition across all DCV methods.
- Simplified User Experience: Customers won’t need to worry about the specific format of the random value based on their chosen DCV method.
- Enhanced Compliance: Compliance teams will be embedded within DigiCert’s development teams to ensure all changes adhere to relevant regulations.
- Increased Test Coverage: DigiCert plans to expand their testing procedures beyond basic functionality to include automated compliance checks.
- Open-Sourcing DCV: They’re committed to making their DCV process open-source for broader community review and potential improvements.
Focus on Safety
While the chances of a security breach directly resulting from this missing underscore are minimal, DigiCert’s swift action highlights the importance of maintaining strict domain validation procedures. This incident serves as a reminder for website owners to stay updated on any security alerts from their certificate authorities and to act promptly when certificate revocation notices are received. By keeping your SSL certificates current and following best practices, you can ensure a secure and trustworthy online experience for your website visitors.
