DigiCert, a leading certificate authority (CA), began revoking thousands of SSL/TLS certificates due to a recently identified domain validation flaw. On July 29, the company informed its customers of the urgent need to revoke these certificates, citing strict compliance requirements set by the CA/Browser Forum (CABF). Initially, it was estimated that about 0.4% of validations were impacted; however, further discussions revealed that more than 83,000 certificates and over 6,800 subscribers were affected. WaterISAC is sharing this for member awareness of the implications on critical infrastructure and the possibility of critical service disruptions for affected organizations.
While DigiCert indicated that some customers could quickly reissue their certificates, those within critical infrastructure expressed concerns about the 24-hour timeframe, fearing it could cause significant disruptions to critical services. In response, DigiCert has offered a temporary reprieve for certain critical infrastructure operators that are unable to replace their impacted certificates in time. To facilitate a delay in revocation under exceptional circumstances, customers needed to have submitted a request by July 31 detailing their situation and the expected completion date. Nevertheless, according to DigiCert, all certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC.
DigiCert has provided updated information and revocation timelines which can be found on the DigiCert website. For more details and information about the certificate revocations, visit BleepingComputer or SecurityWeek.