DigiCert has issued an urgent notice, warning website administrators that they have until July 11, 2020, at 12 pm MDT (July 11, 18:00 UTC) to replace their EV (extended validation) certificates with new and valid ones. Although there is no security threat that has been identified at the moment, these certificates are being revoked due to poor auditing processes followed by some of DigiCert’s intermediate CAs. That would include certificates signed by GeoTrust, Thawte, CertCentral, and Symantec. To clarify, it’s not that these entities signed insecure certificate extensions, but that they did so without following the DigiCert’s auditing rules.
So, according to the announcement, the following ICAs will be retired in a few hours from now:
The above will be replaced with new ICAs from:
DigiCert realized what happened on July 2, and had a difficult situation in their hands. Obviously, revoking 50,000 certificates on such a short notice isn’t an easy task, and dealing with all the consequences that would arise is next to impossible. The customers who are using the certificates that are about to be revoked are not very happy with the decision, as many of them will have to work together with a large number of third parties, get the teams engaged and coordinated, and make it all happen within five days (notice period).
Using an invalidated HTTPS certificate means losing the trust of the user’s web browser and AV tool and, by extension, the trust of the user who will get the warning messages. It’s basically not being able to prove to the visitor that the website is indeed the one that it claims to be. These certificates are signed by trusted entities as a way to determine the authenticity of the websites, and their life-cycle is currently pushed to getting shortened for security reasons.