- DigiCert has decided to bring on the chaos, revoking 50,000 EV HTTPS certificates by tomorrow.
- This affects a large number of online entities who will have to secure one or hundreds of replacements in time.
- The notice period was just five days, and the problem was a non-compliance by some of DigiCert’s intermediate CAs.
DigiCert has issued an urgent notice, warning website administrators that they have until July 11, 2020, at 12 pm MDT (July 11, 18:00 UTC) to replace their EV (extended validation) certificates with new and valid ones. Although there is no security threat that has been identified at the moment, these certificates are being revoked due to poor auditing processes followed by some of DigiCert’s intermediate CAs. That would include certificates signed by GeoTrust, Thawte, CertCentral, and Symantec. To clarify, it’s not that these entities signed insecure certificate extensions, but that they did so without following the DigiCert’s auditing rules.
So, according to the announcement, the following ICAs will be retired in a few hours from now:
- DigiCert Global CA G2
- GeoTrust TLS RSA CA G1
- Secure Site CA
- Thawte TLS RSA CA G1
- Cybertrust Japan Secure Server ECC CA
- DigiCert Global CA G3
- GeoTrust TLS ECC CA G1
- Thawte TLS ECC CA G1
- NCC Group Secure Server CA G3
- Aetna Inc. Secure CA2
- DigiCert SHA2 High Assurance Server CA
- NCC Group Secure Server CA G2
- Plex Devices High Assurance CA2
- TERENA SSL High Assurance CA 3
The above will be replaced with new ICAs from:
- DigiCert EV RSA CA G2
- GeoTrust EV RSA CA G2
- Thawte EV RSA CA G2
DigiCert realized what happened on July 2, and had a difficult situation in their hands. Obviously, revoking 50,000 certificates on such a short notice isn’t an easy task, and dealing with all the consequences that would arise is next to impossible. The customers who are using the certificates that are about to be revoked are not very happy with the decision, as many of them will have to work together with a large number of third parties, get the teams engaged and coordinated, and make it all happen within five days (notice period).
Using an invalidated HTTPS certificate means losing the trust of the user’s web browser and AV tool and, by extension, the trust of the user who will get the warning messages. It’s basically not being able to prove to the visitor that the website is indeed the one that it claims to be. These certificates are signed by trusted entities as a way to determine the authenticity of the websites, and their life-cycle is currently pushed to getting shortened for security reasons.