DigiCert urges critical infrastructure operators to request a delay if they cannot reissue their certificates, as required by an ongoing certificate mass-revocation process announced on Tuesday.

The company is mass-revoking transport layer security (TLS) certificates because of a non-compliance issue with domain control verification (DCV).

This procedure required 6,807 impacted customers to reissue 83,267 certificates within 24 hours by July 31, 19:30 UTC, after logging in to their DigiCert CertCentral account to identify affected certificates.

If the process is not completed before then, the websites, services, or applications using revoked TLS certificates will lose connectivity.

DigiCert identified a system update in August 2019 as the cause of the issue, which led to some validations being conducted without the underscore prefix until it was discovered on July 29. The problem was fixed weeks earlier, on June 11, as part of a user-experience enhancement project.

Critical infrastructure delays

While DigiCert says that customers can request a delay, this only applies to critical infrastructure operators whose inability to replace impacted certificates in time could disrupt critical services.

“Unfortunately, some customers operating critical infrastructure are not in a position to have all their certificates reissued and deployed in time without critical service interruptions,” the company said in an incident notice update on Wednesday.

“To avoid disruption to critical services, we have engaged with browser representatives alongside these customers over the last several hours. Based on these discussions, we are now in a position to delay revocations under exceptional circumstances.”

Those who haven’t replaced their certificates yet should email delayed-revocation-request@digicert.com with their CertCentral Account ID, the exceptional circumstances that require a delay in revocation, and the planned completion date (no later than Saturday, August 3, 19:30 UTC).

DigiCert will use this information to submit a request to delay the revocation with browser representatives. If DigiCert does not receive a delay request by Wednesday, July 31, 19:30 UTC, it will assume the certificates have been replaced and will revoke them.

“All impacted certificate serial numbers will continue to be listed in your DigiCert portal and will be removed once revoked. All certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC,” the company added.

CISA also warned that DigiCert is revoking a number of TLS certificates and urged customers to contact the company “if unable to reissue/rekey certificates by the updated revocation deadline: 3:30 p.m., EDT, July 31, 2024.”