Security News > 2020 > March > Let’s Encrypt Pushes Back Deadline to Revoke Some TLS Certificates

Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them.

The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.

"Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline," Josh Aas, executive director for Let's Encrypt said in a blog post updating users of the situation Wednesday.

The company's plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as "445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let's Encrypt," Aas wrote in the post.

The deadline to revoke certificates left users of Let's Encrypt certificates scrambling Wednesday to assess if site certificates needed updating and, if so, how to complete the task before they were revoked.

News URL

https://threatpost.com/lets-encrypt-pushes-back-deadline-to-revoke-some-tls-certificates/153456/