In a recent incident, DigiCert, a leading Certificate Authority, announced the revocation of certificates that did not meet the proper Domain Control Verification (DCV) standards.
The issue affected approximately 0.4% of the domain validations in effect, prompting the company to take swift action to rectify the situation.
The problem arose from the omission of an underscore prefix in the random value used for CNAME-based validation.
The underscore prefix is critical in ensuring the random value does not collide with an actual domain name.
Although the likelihood of such a collision is extremely low, the absence of the underscore prefix is considered a security risk and a non-compliance with the CA/Browser Forum (CABF) Baseline Requirements.
The CABF rules dictate that any non-compliance with domain validation requires the revocation of issued certificates within 24 hours.
As a result, DigiCert was compelled to revoke the impacted certificates and notify the affected customers to replace their certificates within the stipulated timeframe.
According to the DigiCert report, “we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect.”
Background of the Incident
The issue originated from DigiCert’s modernization of its domain and organization validation systems in August 2019.
The company transitioned to a service-based architecture, which inadvertently removed the automatic addition of the underscore prefix to random values in certain paths of the updated system.
The omission was not detected during cross-functional team reviews and regression testing, which focused on workflows and functionality rather than the content and structure of the random value.
The issue came to light when someone contacted DigiCert’s problem report alias, prompting a preliminary investigation.
Although the initial review did not uncover any issues, further investigation and guidance from external CABF participants led to the discovery of the problem. DigiCert immediately initiated an incident management process and took steps to rectify the situation.
To prevent similar incidents in the future, DigiCert has taken or will take the following actions:
- Enhance the random value generation process to include an underscore prefix
- Simplify the validation process to reduce customer support calls
- Conduct thorough reviews of the legacy system and the updated architecture
- Implement additional testing to detect any changes in functionality
Impact on Customers
DigiCert has notified the impacted customers and provided instructions on reissue certificates in CertCentral. The company has also offered support to customers needing assistance validating their domain and issuing replacement certificates.
The incident highlights the importance of strict adherence to industry standards and regulations to ensure the security and trust of digital certificates.
How to check for Certificate Revocation
Certutil Command-Line Tool: Available on Windows, this tool can verify certificates and CRLs.
certutil -f -urlfetch -verify mycertificatefile.cer
Sending an OCSP Request: Use a tool like OpenSSL to send an OCSP request to the URL obtained in the previous step:
openssl ocsp -issuer issuer.crt -cert cert.crt -url <OCSP_URL>
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access