← DigiCert cases
Bugzilla #1978163
Certificate Problem Report
DigiCert: Re-use of WHOIS validation shortly after deadline
RESOLVED
DigiCert
AI Summary
DigiCert issued 1,834 certificates using WHOIS validation after the CA/B Forum's deprecation of this method on July 15, 2025. The issue arose when validations relying on a DNS CNAME alias were not blocked as intended. Although DigiCert's internal review identified the problem, all affected certificates were revoked and replaced with compliant validations. The incident has sparked discussions about the interpretation of the TLS Baseline Requirements regarding CNAME usage in domain validation.
Chronology
- WHOIS validation method deprecated
- Validation issue identified
- Affected certificates revoked
- OSS DCV framework adopted
Participants
DigiCert
Mozilla
Sectigo
Google Chrome
External References
Similar Local Cases
DigiCert: DCV logging issue
DigiCert: inconsistent revocation / OCSP / CRL behavior
DigiCert: Subject Serial Numbers for Non-Commercial Entities
DigiCert: Several non-functioning AIA URLs
DigiCert: Some certificates issued with CRLDPs that don’t exactly match CCADB disclosures
DigiCert: Random value in CNAME without underscore prefix
DigiCert: Underscores - Citi
DigiCert: improper use of domain validation method