Security News > 2024 > July > DigiCert gives unlucky folks 24 hours to replace doomed certificates after code blunder

DigiCert has given some unlucky customers 24 hours to replace their SSL/TLS security certificates it previously issued them - due to a five-year-old blunder in its backend software.

The Register has asked exactly how many domains this represents, and we'll let you know if DigiCert can come up with a number.

Let's say you don't own example.com but you want to try to get a certificate for it from DigiCert so you can do nefarious things that we won't go into here.

DigiCert did not tell its customers in its documentation that they had to put an underscore at the start - and from August 2019 to now, DigiCert's code, after some reorganizing of its software, accidentally no longer added the to generated challenge values nor even checked for it.

Although the reporter did not provide serial numbers for any certificates, DigiCert conducted a preliminary investigation.

After the reporter requested additional reviews, DigiCert sought guidance from external CABF participants, who suggested DigiCert conduct an additional review.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/31/digicert_certificates_revoked/