- Certificate Revocation Incident | DigiCert
- DigiCert will be revoking certificates that did not have proper Domain Control Verification (DCV). Before issuing a certificate to a customer, DigiCert validates the customer’s control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF). One of these methods relies on the customer adding a DNS CNAME record which includes a random value provided to them by DigiCert. DigiCert then does a DNS lookup for the domain and verifies the same random value, thereby proving domain control by the customer.
GCP Console
DigiCert announced (http://www.digicert.com/support/certificate-revocation-incident) that they would revoke certain certificates which were issued without proper Domain Control Validation. If you are affected by the issue, DigiCert will have sent a notification to your contact email address. You will see a CNAME revocation incident banner when you log in to CertCentral. To reissue/rekey your certificates, refer to the DigiCert announcement (http://www.digicert.com/support/certificate-revocation-incident). Once you have reissued the certificates, update your Google Cloud HTTP(S) Load Balancer configuration by following these instructions(https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs). If you need additional help, please contact Google Cloud Support using https://cloud.google.com/support
I noticed a warning/alert message when I accessed GCP. After following the links and checking the details, I summarized the overall content. Basically, it stated that they have identified a problem with some (0.4%) of the TLS certificates issued through DigiCert and will revoke those certificates. First, since DigiCert states it's only 0.4%, it doesn't seem like a major issue.
I believe that in most cases, cloud administrators use either TLS certificates provided by each cloud vendor or Let's Encrypt certificates. Other cases might involve on-premises or custom certificates, but it seems unlikely to cause an internet-wide disruption.
Here's a summary of the details:
1. Cause of the Issue
A bug occurred during DigiCert's domain validation process when using DNS CNAME records, where an underscore (_) was not added. This bug persisted from August 2019 until recently. The root cause was the omission of a crucial security procedure during the system modernization process.
2. Scope of Impact
Approximately 0.4% of the certificates issued by DigiCert were affected by this issue. While the percentage may seem small, considering the number of certificates used globally, a significant number of websites could be affected.
3. Actions Required
Affected certificates must be revoked and reissued within 24 hours. This is a critical action due to security concerns.
4. User Response Procedures
- Log in to your CertCentral account to check for affected certificates.
- Generate a new CSR (Certificate Signing Request).
- Reissue and install the certificate.
5. Precautions for Cloud Service Users
GCP or other cloud service users employing custom DigiCert certificates may be directly impacted by this issue and should take immediate action. If using default certificates from cloud providers or Let's Encrypt, there is likely no direct impact.
6. Future Outlook
This incident serves as a reminder of the importance and complexity of digital certificates. In the future, certificate authorities are expected to implement stricter validation processes and system checks.
In conclusion, while this DigiCert certificate issue is not expected to cause widespread internet disruption, it is a critical concern for website administrators whose sites are affected. Especially for those utilizing custom SSL/TLS certificates in cloud services like GCP, it's essential to verify certificates immediately and take necessary steps. This will ensure website security and the provision of safe services to users.
Comments0