Here’s what we know: DigiCert revoked 23,000 digital certificates after receiving a tip of a mass compromise from one of its resellers, Trustico. Here’s what we don’t know: How Trustico gained access to the 23,000 private keys the certificate authority (CA) sent to DigiCert as proof of compromise. Here’s what we can assume: Trustico customers and others will start investigating who has access to their private keys.
On 28 February, Reddit users shared how they had received an email from DigiCert explaining that the CA would revoke their certificates. The message attributed the scheduled revocation to a compromise of the private keys for each affected user's certificate. Under the CA/Browser Forum Baseline Requirements (PDF), a CA must revoke a certificate within 24 hours if it receives proof that the document has been compromised.
Concerned customers contacted DigiCert for clarification about what had happened. The Certificate Authority responded by issuing a statement. In it, DigiCert ties its decision to a revocation request it had previously received from Trustico, a certificate reseller with which it is terminating its business relationship.
Jeremy Rowley, executive vice president of product at DigiCert, explains in a Google Groups post that DigiCert received a request for revocation of all Trustico customers' Symantec, GeoTrust, Thawte, and RapidSSL certificates on 2 February. The reseller sent the email to the wrong team, so it took some time for the CA to learn of the matter. When it did, it requested Trustico provide it with proof of the compromise. The reseller responded on 27 February by sending over a file containing 23,000 private keys for some of its customers' certificates.
DigiCert verified that those keys matched the affected RapidSSL certificates. It's then that it triggered its 24-hour revocation policy and began contacting customers.
The CA has yet to receive information from Trustico about what caused the certificate compromise and how it acquired the exposed private keys.
With that said, DigiCert used its statement to set the record straight on misinformation issued by the reseller about the revocation's cause:
"In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates. The upcoming Chrome distrust situation is entirely separate."
Rowley says Trustico sent DigiCert, which never had the private keys, a total of 50,000 certificate revocation requests. The Certificate Authority decided to immediately revoke only those certificates for which it had verified the exposed private keys. It could revoke additional RapidSSL certificates processed by Trustico in the future, however.
In the meantime, incidents such as this highlight the need for organizations to invest in a robust certificate monitoring platform that can streamline the process of purchasing and monitoring their cryptographic keys and certificates.
Nick Hunter, senior digital trust researcher for Venafi, sums up the scope and impact of a CA event such as this. “Most organizations don’t have any idea how to respond quickly to an event like this because they don’t think how the impact of that Certificate Authorities will have on their network and reliability. It’s easy to assume that events like these only happen in a blue moon but the reality is that they happen regularly. Any organization that is unprepared to respond will not have the tools needed to diagnose and repair it quickly.”