DigiCert's Revocation of 83,000 Certificates: A Critical Security Move
DigiCert has begun the process of revoking over 83,000 SSL/TLS certificates due to a recently identified domain validation issue. This significant action has prompted urgent responses from customers across various sectors, especially those in critical infrastructure and other essential services, who are seeking more time to adjust.
Incident Overview
On July 29, DigiCert informed its customers about an incident related to domain validation. According to the certificate authority, approximately 0.4% of applicable domain validations were affected, which translates to 83,267 certificates and 6,807 subscribers. The company emphasized the need to revoke these certificates within 24 hours to comply with the CA/Browser Forum (CABF) rules, which mandate strict adherence to validation protocols.
Immediate Customer Impact
While some affected customers have managed to quickly reissue their certificates, others, particularly those in critical sectors such as telecommunications, cloud services, and healthcare, face significant challenges. Jeremy Rowley, CISO at DigiCert, explained the situation: “Many other customers operating critical infrastructure are not in a position to have all their certificates revoked without causing critical service interruptions. We have deployed automation with several willing customers, but many large organizations cannot reissue and deploy new certificates everywhere in time.”
Efforts to Delay Revocations
In response to the urgent needs of its customers, DigiCert has been actively working with browser representatives and affected organizations to delay the revocation of certificates under exceptional circumstances. Despite these efforts, the company has made it clear that “all certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd, 2024, 19:30 UTC.”
Legal Actions
The urgency and scale of this revocation have led some customers to take legal action against DigiCert in an attempt to prevent the immediate revocation of their certificates.
Understanding the Root Cause
The issue stems from a problem with the process DigiCert used to validate domain ownership. One validation method involves adding a DNS CNAME record with a random value provided by DigiCert. This value is prefixed with an underscore to prevent conflicts with actual domain names. However, since 2019, this underscore prefix was not consistently added, leading to non-compliance with CABF rules.
The Security Implications
Andrew Ayer, founder of SSLMate and a digital certificates expert, highlighted the security implications of this oversight, stating, “This is a security-critical incident, as there is a real risk that this flaw could have been exploited to obtain unauthorized certificates. The revocation of improperly validated certificates is essential for security.”
Required Actions for Affected Customers
Customers impacted by this issue must act quickly to replace their certificates. DigiCert has provided a step-by-step guide for reissuing certificates:
- Log in to your CertCentral account and view the CNAME Revocation Incident banner.
- Navigate to the Certificates > Orders page to locate your impacted certificates.
- Generate a new Certificate Signing Request (CSR).
- On each certificate’s Order # details page, select Reissue certificate from the Certificate actions dropdown.
- Complete any additional required validation steps.
- Install your reissued SSL/TLS certificate.
For those using a certificate management solution like Trust Lifecycle Manager, specific instructions for automating certificate replacement are available.
For further assistance, customers can contact DigiCert Support directly at +1 801-770-1718.
Preventive Measures
To prevent future incidents, DigiCert has implemented several measures:
- Reviewing and consolidating all random value generators used in domain control validation.
- Simplifying the user experience to ensure customers do not need to handle specific random value formats.
- Embedding compliance team members in all CA and RA sprint teams to review changes.
- Expanding test coverage to include compliance-based automated test cases.
- Open-sourcing DCV for community review.
Conclusion
DigiCert's decision to revoke over 83,000 certificates underscores the importance of stringent security measures and compliance with validation protocols. While this incident presents significant challenges for affected customers, DigiCert’s proactive steps and commitment to security aim to maintain the trust and integrity of digital certificates. Customers are urged to take immediate action to replace their certificates and ensure the continued security of their online services.
Source:https://www.cisa.gov https://www.digicert.com
No comments:
Post a Comment