DigiCert, a major certificate authority, to revoke thousands of SSL/TLS certificates[1] because of a Domain Control Verification error. This could affect a lot of websites.
The company discovered that an oversight in the DNS-based verification process affected approximately 0.4% of its applicable domain validations.
The problem stems from DigiCert’s failure to include an underscore prefix in the random value used for CNAME-based domain validation.
The oversight is minor, but it breaks the strict rules set by the CA/Browser Forum (CABF) for verifying domain control properly.
The CABF Baseline Requirements mandate that when using DNS CNAME records[2] for domain validation, the random value must be prefixed with an underscore character in certain cases.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide[3]
This requirement ensures that the validation subdomain cannot collide with an actual domain name, even though the chances of such a collision are extremely low.
DigiCert has notified affected customers, who must now replace their certificates within 24 hours. This urgent timeline is due to CABF rules[4] that require non-compliant certificates to be revoked within 24 hours of discovery, without exception.
“Any issue with domain validation is considered a serious issue by CABF and requires immediate action. Failure to comply can result in a distrust of the Certificate Authority. As such, we must revoke all impacted certificates within 24 hours of discovery. No extensions or delays are permitted. We apologize if this causes a business disruption to you and are standing by to assist you with validating your domain and issuing replacement certificates immediately,” Digicert said[5].
Impacted customers are advised to:
- Log in to their DigiCert CertCentral account
- Identify affected certificates
- Reissue or rekey the impacted certificates
- Complete any additional required validation steps
- Install the newly issued SSL/TLS certificates
DigiCert traced the issue back to changes made in their domain validation systems in August 2019. The company’s modernization efforts inadvertently removed a crucial step in its validation process, which went undetected due to limitations in its regression testing.
How to check for Certificate Revocation
Certutil Command-Line Tool: Available on Windows, this tool can verify certificates and CRLs.
certutil -f -urlfetch -verify mycertificatefile.cerSending an OCSP Request: Use a tool like OpenSSL to send an OCSP request to the URL obtained in the previous step:
openssl ocsp -issuer issuer.crt -cert cert.crt -url
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access[6]
References
- ^ SSL/TLS certificates (cybersecuritynews.com)
- ^ DNS CNAME records (cybersecuritynews.com)
- ^ Free Guide (go.cynet.com)
- ^ CABF rules (cabforum.org)
- ^ said (www.digicert.com)
- ^ Free Access (app.any.run)