23,000 Users Have SSL Certificates Revoked In An Altercation Between Trustico And DigiCert.

How the Story Developed

On the second of February, Trustico asked DigiCert to revoke all 50,000 certificates that were managed by them. This was due to DigiCert buying out Symantec’s certificate business. Symantec had been at the centre of many stories regarding the compromise of their certificates.

Trustico is a certificate reseller, and as such, dropped DigiCert and shacked up with Comodo. In the meantime, DigiCert denies the request to revoke the certificates. DigiCert stated that industry guidelines were not clear on whether a certificate reseller has that sort of power.

DigiCert said they would only revoke the certificates if there was evidence of a security breach. At which point, DigiCert claims that Trustico sent an email containing 23,000 private keys of customer issued certificates.

CA industry rules state that compromised certificates must be revoked within 24 hours after a security incident. It was at this point that DigiCert started the process of revoking the 23,000 compromised certificates.

How And Why Did Trustico Have 23,000 Private Keys?

It is thought that Trustico was automating the process for the Certificate Signing Request, or CSR. They were generating the SSL certificates but also keeping a copy of the private key.

The CA is not supposed to have any knowledge of the private key. Having access to the private key is like having the key to the kingdom, as such, it should only be known by the owner.

DigiCert Notifies Mozilla

DigiCert has now notified the likes of Mozilla, developer of popular web browser Firefox, that 23,000 keys have been compromised.

DigiCert will publicly release the private keys later to make sure that browsers can mark them as untrusted.

Why did Trustico want to revoke the certificates in the first place?

Symantec’s SSL-issuance business was bought out by DigiCert. By that point, Symantec had made a bad name for themselves in the certificate business. Symantec was the centre of many different security incidents. Last year it got to the point where Google announced it would start distrusting any Symantec issued certificate, compromised or not.

These 50,000 initial certificates bought for resale by Trustico were on the old Symantec infrastructure, and as such, Trustico felt it was a good idea to revoke said certificates.

Little did anyone know, that Trustico were playing fast and loose with security practices just as much as Symantec were.

The Current State of the Situation

On the 2nd of March, Trustico’s system to get replaced revoked certificates failed. This leaves 23,000 users and companies with websites and apps that will now encounter HTTPS security errors.

It would be surprising if anyone were to trust Trustico going forward. The ineptitude on their part has lead to the disruption of tens of thousands of websites. On top of that, Trustico also automatically stores your private keys, meaning the security of your website is not truly safe.

Note: never disclosed its private keys to anyone to keep the security intact.