Home Security Trustico revokes SSL certificates due to stored private keys

Trustico revokes SSL certificates due to stored private keys

SSL certificate wholesaler Trustico has revoked tens of thousands of certificates that it issued on behalf of digital certificate provider DigiCert, an order that is likely to occasion the purchasers of those certificates much pain.

According to a post by Jeremy Rowley, an official at DigiCert, on the Mozilla Developers security mailing list, Trustico had asked on 2 February for a mass revocation of all certificates that been ordered through the company by end users. His post was titled "How do you handle mass revocation requests?"

Trustico later told DigiCert that it was holding the private keys which would mean that the certificates were thus compromised. 

Rowley said that on 27 February, DigiCert had received a file with 23,000 private keys matched to specific Trustico customers.

"At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys," he said.

In a response to Rowley's post, Zane Lucas, general manager at Trustico, said: "We didn't authorise DigiCert to contact our customers and we didn't approve the content of their e-mail. At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised.

"During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised. Your usage of the word compromise has been twisted by you to your benefit and is absolutely defamatory."

In a statement issued at about 6.08am AEDT, DigiCert said: “Trustico requested revocation of their Symantec, GeoTrust, Thawte and RapidSSL certificates, claiming the certificates were compromised. 

"When we asked for proof of the 'compromise', Trustico did not provide details on why they were requesting the immediate revocation. Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys.

"When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours. 

"As a CA, we had no choice but to follow the Baseline Requirements. Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.

"In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates.

"The upcoming Chrome distrust situation is entirely separate. We are working closely to help customers with certificates affected by the browser distrust, and we are offering free replacement certificates through their existing customer portals. That process is well underway."

The revocation of the certificates by Trustico appears to be related to its decision to stop dealing with DigiCert. Earlier this month, Trustico stopped using certificates from Symantec.

In the words of Jake Williams, the chief executive of Rendition Infosec and a former hacker with the NSA's elite Tailored Access Operations unit, "Trustico was storing private keys for its customers (something it never should have had, let alone stored,). That's not how CAs are supposed to work. This is insane."

Another security expert, Briton Kevin Beaumont, said Trustico had emailed 23,000 private keys to certificates "which means the certificates were fundamentally broken - i.e. if you have (the) private key you can decrypt traffic, which the certs were supposed to protect".

The possession of a private key would mean that it is possible to do man-in-the-middle interception, according to Beaumont.

According to one poster, haz31, on the Whirlpool broadband forums, "So seems.... they maybe kept a copy of peoples private keys (never mind how they got them for processing CSRs... maybe they did a silent private key swap).

"They sent them via email to get their certifs from old reseller revoked. This isn't going to be nice for some people to wake up to."

The representative of a Melbourne data centre and hosting service, Micron21, who posted under the name James B on the Whirlpool forums, wrote: "(The) latest news is Trustico have stopped using DigiCert for legal reasons, Trustico new wholesale provider is Comodo (as of a few minutes ago)."

His post was made on 28 February at 8.49pm AEDT.

"Comodo are providing free replacement certificates for any DigiCert certificates for anyone affected, however they won't provide promo code for the free certificates until tomorrow .... so not sure how it will work yet when everything is due to expire in a few hours....," he added.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.