Home Security Trustico revokes SSL certificates due to stored private keys
Trustico revokes SSL certificates due to stored private keys Featured

SSL certificate wholesaler Trustico has revoked tens of thousands of certificates that it issued on behalf of digital certificate provider DigiCert, an order that is likely to occasion the purchasers of those certificates much pain.

According to a post by Jeremy Rowley, an official at DigiCert, on the Mozilla Developers security mailing list, Trustico had asked on 2 February for a mass revocation of all certificates that been ordered through the company by end users. His post was titled "How do you handle mass revocation requests?"

Trustico later told DigiCert that it was holding the private keys which would mean that the certificates were thus compromised. 

Rowley said that on 27 February, DigiCert had received a file with 23,000 private keys matched to specific Trustico customers.

"At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys," he said.

In a response to Rowley's post, Zane Lucas, general manager at Trustico, said: "We didn't authorise DigiCert to contact our customers and we didn't approve the content of their e-mail. At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised.

"During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised. Your usage of the word compromise has been twisted by you to your benefit and is absolutely defamatory."

In a statement issued at about 6.08am AEDT, DigiCert said: “Trustico requested revocation of their Symantec, GeoTrust, Thawte and RapidSSL certificates, claiming the certificates were compromised. 

"When we asked for proof of the 'compromise', Trustico did not provide details on why they were requesting the immediate revocation. Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys.

"When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours. 

"As a CA, we had no choice but to follow the Baseline Requirements. Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.

"In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates.

"The upcoming Chrome distrust situation is entirely separate. We are working closely to help customers with certificates affected by the browser distrust, and we are offering free replacement certificates through their existing customer portals. That process is well underway."

The revocation of the certificates by Trustico appears to be related to its decision to stop dealing with DigiCert. Earlier this month, Trustico stopped using certificates from Symantec.

In the words of Jake Williams, the chief executive of Rendition Infosec and a former hacker with the NSA's elite Tailored Access Operations unit, "Trustico was storing private keys for its customers (something it never should have had, let alone stored,). That's not how CAs are supposed to work. This is insane."

Another security expert, Briton Kevin Beaumont, said Trustico had emailed 23,000 private keys to certificates "which means the certificates were fundamentally broken - i.e. if you have (the) private key you can decrypt traffic, which the certs were supposed to protect".

The possession of a private key would mean that it is possible to do man-in-the-middle interception, according to Beaumont.

According to one poster, haz31, on the Whirlpool broadband forums, "So seems.... they maybe kept a copy of peoples private keys (never mind how they got them for processing CSRs... maybe they did a silent private key swap).

"They sent them via email to get their certifs from old reseller revoked. This isn't going to be nice for some people to wake up to."

The representative of a Melbourne data centre and hosting service, Micron21, who posted under the name James B on the Whirlpool forums, wrote: "(The) latest news is Trustico have stopped using DigiCert for legal reasons, Trustico new wholesale provider is Comodo (as of a few minutes ago)."

His post was made on 28 February at 8.49pm AEDT.

"Comodo are providing free replacement certificates for any DigiCert certificates for anyone affected, however they won't provide promo code for the free certificates until tomorrow .... so not sure how it will work yet when everything is due to expire in a few hours....," he added.


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News