Security News > 2024 > July > DigiCert mass-revoking TLS certificates due to domain validation bug
DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours.
DigiCert is one of the prominent certificate authorities that provides SSL/TLS certificates, including Domain Validated, Organization Validated, and Extended Validation certificates.
One of the methods used to validate domain ownership is to add a string with a random value in the DNS CNAME record on the certificate and then perform a DNS lookup for the domain to ensure the random values match.
"This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception."
Eventually, on July 29, DigiCert discovered the lack of the underscore on a small percentage of certificates while investigating a separate report about the generation of random values.
It should be noted that DigiCert will be revoking impacted certificates within 24 hours.