CABF requires that, in one format of DNS CNAME entries, a random value is monitored with an underscore, and DigiCert found that, in some cases, that character was not included, making the verification non-compliant. According to CABF rules, those certificates must be withdrawn within 24 hours, without exception.
However, DigiCert said in an update to its status page on Tuesday, and in an email to customers, “Unfortunately, some customers who use critical infrastructure are not in a position to have all of their certificates issued and used in a timely manner without critical service disruptions. To avoid disruptions to critical services, we have shared and browser representatives with these customers over the past few hours. Based on these discussions, we are now in a position to reverse the withdrawal under exceptional circumstances.”
Since then, DigiCert has updated its status page to read, “DigiCert continues to fully engage with customers affected by this incident and many of them have been able to replace their certificates. Some customers have applied for delayed withdrawals due to extraordinary circumstances and we are working with them in their circumstances. We do not accept any late withdrawal requests.”
Source link