DigiCert revokes EV certificate due to urgent problem

On Tuesday 7 July, DigiCert, the former supplier of SURFcertificaten, informed SURF and the institutions of an urgent problem with Extended Validation (EV) certificates. Due to an error on DigiCert's part, these have not been adequately audited and should therefore not be used. DigiCert will revoke these certificates on 11 July at 8 pm.
Student achter laptop in bibliotheek vanaf verhoging met koptelefoon


Until 1 May, DigiCert was the certificate service provider for the SURF certificates service. Certificates issued before 1 May will continue to operate until the certificate's period of validity expires.

Institutions informed immediately

After the announcement, SURF immediately informed all the contact persons of the SURF certificates service, as well as the SCIPR and SCIRT security communities for the sake of security. There is also a page available with more information and instructions on how to replace and install the certificates as quickly as possible.
Request for postponement

SURF has looked into the possibility of submitting a request for postponement to DigiCert together with other parties. The period within which the certificates must be replaced and reinstalled is tight. We consider that the chance of postponement is small because DigiCert is under pressure from major browser suppliers who - because of this error - no longer wish to accept other DigiCert certificates.

No security risk

DigiCert revokes the EV certificate due to an oversight in the audit. For the time being, there is no concrete indication of a security issue.

For more information see the website of DigiCert