Skip to main content
banner image
venafi logo

Who Can Access Your Private Keys? DigiCert Revokes 23K Certificates after Receiving Mysterious Tip from Reseller

Who Can Access Your Private Keys? DigiCert Revokes 23K Certificates after Receiving Mysterious Tip from Reseller

trustico private key compromise
March 1, 2018 | David Bisson

Here’s what we know: DigiCert revoked 23,000 digital certificates after receiving a tip of a mass compromise from one of its resellers, Trustico. Here’s what we don’t know: How Trustico gained access to the 23,000 private keys the certificate authority (CA) sent to DigiCert as proof of compromise. Here’s what we can assume: Trustico customers and others will start investigating who has access to their private keys.

Cybercriminals are finding TLS certificates on the Dark Web. Find out more. 

On 28 February, Reddit users shared how they had received an email from DigiCert explaining that the CA would revoke their certificates. The message attributed the scheduled revocation to a compromise of the private keys for each affected user's certificate. Under the CA/Browser Forum Baseline Requirements (PDF), a CA must revoke a certificate within 24 hours if it receives proof that the document has been compromised.

Concerned customers contacted DigiCert for clarification about what had happened. The Certificate Authority responded by issuing a statement. In it, DigiCert ties its decision to a revocation request it had previously received from Trustico, a certificate reseller with which it is terminating its business relationship.

Jeremy Rowley, executive vice president of product at DigiCert, explains in a Google Groups post that DigiCert received a request for revocation of all Trustico customers' Symantec, GeoTrust, Thawte, and RapidSSL certificates on 2 February. The reseller sent the email to the wrong team, so it took some time for the CA to learn of the matter. When it did, it requested Trustico provide it with proof of the compromise. The reseller responded on 27 February by sending over a file containing 23,000 private keys for some of its customers' certificates.

DigiCert verified that those keys matched the affected RapidSSL certificates. It's then that it triggered its 24-hour revocation policy and began contacting customers.

The CA has yet to receive information from Trustico about what caused the certificate compromise and how it acquired the exposed private keys.

With that said, DigiCert used its statement to set the record straight on misinformation issued by the reseller about the revocation's cause:

"In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates. The upcoming Chrome distrust situation is entirely separate."

Do you have any Symantec certificates? Can you find them? Try our free tool. 


Rowley says Trustico sent DigiCert, which never had the private keys, a total of 50,000 certificate revocation requests. The Certificate Authority decided to immediately revoke only those certificates for which it had verified the exposed private keys. It could revoke additional RapidSSL certificates processed by Trustico in the future, however.

In the meantime, incidents such as this highlight the need for organizations to invest in a robust certificate monitoring platform that can streamline the process of purchasing and monitoring their cryptographic keys and certificates.

Nick Hunter, senior digital trust researcher for Venafi, sums up the scope and impact of a CA event such as this. “Most organizations don’t have any idea how to respond quickly to an event like this because they don’t think how the impact of that Certificate Authorities will have on their network and reliability. It’s easy to assume that events like these only happen in a blue moon but the reality is that they happen regularly. Any organization that is unprepared to respond will not have the tools needed to diagnose and repair it quickly.”

Learn more about machine identity management. Explore now.  

Related blogs

Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more