On February 2nd an official at DigiCert received a request from Trustico to revoke over 50,000 Certificates that had been issued through the reseller Trustico.
DigiCert then needed to confirm that either the keys were compromised or that they revocation was authorized by the owner of the SSL Certificate. The certificates were not alleged as compromised at that time.
After this Trustico said the private keys were compromised without giving specifics or details on how they were compromised. This was to trigger the 24-hour revocation requirement set by Certificate Authorities when a Private Key / Certificate becomes compromised.
On 27th February Digicert then received a file from Trustico containing over 23,000 Private Keys.
In a statement released by DigiCert they stated; “When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours”
At first no information was provided by Trustico as to how the private keys were acquired or compromised. Trustico have suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect.
DigiCert had to revoke the certificates because they were sent the private keys by Trustico which had nothing to do with future distrust dates by Google Chrome.
DigiCert have only contacted and revoked the Certificates that match a Private Key in the file sent from Trustico, leaving another 27,000 Certificates possibly compromised.
You can read more about the events and actions by DigiCert here
What to do if you had a SSL issued from Trustico
If you have had any SSL issued from Trustico that was generated using a CSR and Private Key generated on their website, we highly recommend you do a reissue of your SSL or revoke it and order a new one. Any SSL using a CSR/Key pair generated on their system could be compromised.
This event can be a reminder that you should never trust anyone with your Private Keys. You should only ever share your CSR when generating/configuring a new or reissued SSL Certificate. You Private Keys should be generated and kept safe only on the servers you wish to install the Certificates.
Discussions and Comments
Click here to view and join in on any discussions and comments on this article.