Attention Webmasters/Developers/IT Administrators: DigiCert Revokes a Large Number of Non-Compliant CNAME Verified TLS Certificates

The well-known digital certificate authority DigiCert recently announced in a blog post that it is revoking approximately 0.4% of its domain validation certificates. Given the company's market share in the digital certificate industry, this 0.4% could affect tens of thousands or even more digital certificates.

The primary reason for the revocation is that DigiCert found errors in domain validations using CNAME records, where normally the prefix must include an underscore. Subdomains without an underscore were still considered non-compliant.

During some CNAME-based validations, DigiCert noticed the absence of the underscore prefix. According to the rules of the CA/Browser Forum (CABF), these non-compliant and problematic digital certificates must be revoked within 24 hours.

Currently, DigiCert has already emailed all affected customers, requesting them to immediately revalidate and replace their certificates. If customers do not replace their certificates in time, their websites, servers, or applications may not be able to connect properly.

Note that some websites may use certificates not directly issued by DigiCert, but as DigiCert acts as a ROOT CA, they would still be affected in this scenario. It is advised to consult with the intermediate CA from which the certificate was applied for to check if a replacement is needed.

For DigiCert, this represents a significant issue that could impact its reputation in the CA field. After all, operations not complying with CABF rules are considered non-compliant, so DigiCert decided to revoke all problematic certificates within 24 hours, even if it may affect customers' usage.

Landian.news used to use digital certificates issued by DigiCert but has now switched to free digital certificates provided by Let’s Encrypt to save on expenses, fortunately not having to worry about this issue anymore.