Certificate authority (CA) DigiCert has issued a warning that they will revoke certain SSL/TLS certificates within 24 hours due to an oversight in verifying the domain ownership for these certificates.
The decision to revoke these certificates is due to the lack of proper Domain Control Validation (DCV) in these certificates.
DigiCert validates the domain ownership when issuing a certificate using approved methods by the CA/Browser Forum, such as the creation of a DNS CNAME record with a random value provided by DigiCert.
The issue arose from a coding change in 2019 that led to some CNAME-based validation cases missing the underscore prefix in the random value used for validation.
After discovering the issue, DigiCert made changes to the random value generation process to eliminate mistakes in adding the underscore prefix but failed to compare the new system with the legacy system.
Approximately 0.4% of the domain validations are affected by this issue, impacting 83,267 certificates and 6,807 customers.
A recommended solution for affected customers is to replace their certificates by generating a Certificate Signing Request (CSR) and passing DCV.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding the revocation of these certificates, warning of possible disruptions to websites relying on them for secure communication.
