This is an AI translated post.
DigiCert Certificate Crisis: Urgent SSL/TLS Security Issue Requires Action Within 24 Hours
- Writing language: Korean
- •
- Base country: All countries
- •
- Information Technology
Select Language
Summarized by durumis AI
- DigiCert has mistakenly issued some certificates due to a bug in the domain verification process, and has revoked and reissued those certificates.
- Although the affected certificates are only about 0.4% of the total, immediate action is required for users to ensure website security.
- Especially if you are using DigiCert's custom SSL/TLS certificates on cloud services like GCP, you need to check and reissue your certificates to maintain website security.
GCP Console
DigiCert announced (http://www.digicert.com/support/certificate-revocation-incident) that they would revoke certain certificates which were issued without proper Domain Control Validation. If you are affected by the issue, DigiCert will have sent a notification to your contact email address. You will see a CNAME revocation incident banner when you log in to CertCentral. To reissue/rekey your certificates, refer to the DigiCert announcement (http://www.digicert.com/support/certificate-revocation-incident). Once you have reissued the certificates, update your Google Cloud HTTP(S) Load Balancer configuration by following these instructions(https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs). If you need additional help, please contact Google Cloud Support using https://cloud.google.com/support
Upon logging into GCP, I encountered a warning/notice message. After following the provided links and summarizing the information, the overall message was that DigiCert would be revoking certain certificates issued without proper domain control validation. While DigiCert claims a mere 0.4% of certificates are affected, this might not seem like a major issue at first glance.
It is likely that most cloud administrators utilize TLS certificates provided by their respective cloud vendors or Let's Encrypt certificates. Other cases may involve on-premises or custom certificates, but a widespread internet disruption is unlikely.
In general, here is a summary of the details:
1. Cause of the issue
DigiCert experienced a bug in their domain verification process where an underscore (_) was not added when using DNS CNAME records. This bug persisted from August 2019 until recently, and the root cause was the omission of a crucial security procedure during their system modernization process.
2. Scope of the impact
Approximately 0.4% of certificates issued by DigiCert have been affected by this issue. While this might appear to be a small percentage, considering the vast number of certificates used globally, a significant number of websites could be impacted.
3. Actions to be taken
Affected certificates must be revoked and reissued within 24 hours. This is a crucial measure for security reasons.
4. User response methods
- Login to your CertCentral account and verify affected certificates.
- Generate a new CSR (Certificate Signing Request).
- Reissue and install the certificate.
5. Precautions for cloud service users
Users of GCP or other cloud services who utilize custom certificates from DigiCert could be directly affected by this issue and should take immediate action. If you are using default certificates from cloud providers or Let's Encrypt, you should be unaffected.
6. Future outlook
This incident serves as a reminder of the importance and complexity of digital certification. It is expected that certification authorities will implement stricter verification processes and system checks in the future.
In conclusion, while this DigiCert certificate issue is unlikely to cause significant disruption to the entire internet, it remains a critical matter for affected website administrators. Especially for those using custom SSL/TLS certificates within cloud services like GCP, it is crucial to immediately verify certificates and take necessary actions. This will ensure website security and provide users with safe services.