Skip to main content
banner image
venafi logo

Who Can Access Your Private Keys? DigiCert Revokes 23K Certificates after Receiving Mysterious Tip from Reseller

Who Can Access Your Private Keys? DigiCert Revokes 23K Certificates after Receiving Mysterious Tip from Reseller

trustico private key compromise
March 1, 2018 | David Bisson

Here’s what we know: DigiCert revoked 23,000 digital certificates after receiving a tip of a mass compromise from one of its resellers, Trustico. Here’s what we don’t know: How Trustico gained access to the 23,000 private keys the certificate authority (CA) sent to DigiCert as proof of compromise. Here’s what we can assume: Trustico customers and others will start investigating who has access to their private keys.

On 28 February, Reddit users shared how they had received an email from DigiCert explaining that the CA would revoke their certificates. The message attributed the scheduled revocation to a compromise of the private keys for each affected user's certificate. Under the CA/Browser Forum Baseline Requirements (PDF), a CA must revoke a certificate within 24 hours if it receives proof that the document has been compromised.

Concerned customers contacted DigiCert for clarification about what had happened. The Certificate Authority responded by issuing a statement. In it, DigiCert ties its decision to a revocation request it had previously received from Trustico, a certificate reseller with which it is terminating its business relationship.

Jeremy Rowley, executive vice president of product at DigiCert, explains in a Google Groups post that DigiCert received a request for revocation of all Trustico customers' Symantec, GeoTrust, Thawte, and RapidSSL certificates on 2 February. The reseller sent the email to the wrong team, so it took some time for the CA to learn of the matter. When it did, it requested Trustico provide it with proof of the compromise. The reseller responded on 27 February by sending over a file containing 23,000 private keys for some of its customers' certificates.

DigiCert verified that those keys matched the affected RapidSSL certificates. It's then that it triggered its 24-hour revocation policy and began contacting customers.

The CA has yet to receive information from Trustico about what caused the certificate compromise and how it acquired the exposed private keys.

With that said, DigiCert used its statement to set the record straight on misinformation issued by the reseller about the revocation's cause:

"In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates. The upcoming Chrome distrust situation is entirely separate."

Rowley says Trustico sent DigiCert, which never had the private keys, a total of 50,000 certificate revocation requests. The Certificate Authority decided to immediately revoke only those certificates for which it had verified the exposed private keys. It could revoke additional RapidSSL certificates processed by Trustico in the future, however.

In the meantime, incidents such as this highlight the need for organizations to invest in a robust certificate monitoring platform that can streamline the process of purchasing and monitoring their cryptographic keys and certificates.

Nick Hunter, senior digital trust researcher for Venafi, sums up the scope and impact of a CA event such as this. “Most organizations don’t have any idea how to respond quickly to an event like this because they don’t think how the impact of that Certificate Authorities will have on their network and reliability. It’s easy to assume that events like these only happen in a blue moon but the reality is that they happen regularly. Any organization that is unprepared to respond will not have the tools needed to diagnose and repair it quickly.”

Here's how Venafi TrustAuthority can help.

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat