Trustico requests over 50,000 SSL Certificates to be revoked

Currently in the IT #security world there's a lot of talk and upset customers due to over 23,000 SSL Certificates suddenly being revoked due to them being compromised.

The series of events leading to this:

• 2nd February: An official at DigiCert received a request from Trustico to revoke over 50,000 Certificates that had been issued through the reseller, Trustico.

• DigiCert asked if the keys were compromised or that they revocation authorization by the owner(s) of the SSL Certificate(s). The certificates were not alleged as compromised at that time.

• Trustico replied stating that the private keys were indeed compromised (without giving specifics or details on how they were compromised); starting the required 24-hour revocation set by all Certificate Authorities when a Private Key / Certificate becomes compromised.

• 27th February: DigiCert receives an email attachment from Trustico containing over 23,000 Private Keys. Leaving DigiCert no choice but to immediately revoke the certificates in the email attachment.

An official statement given by DigiCert followed:
“When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours”

At first no information was provided by Trustico as to how the private keys were acquired or compromised. Trustico have falsely suggested in an email to customers that this revocation is due to the upcoming Google Chrome distrust of Symantec roots.

• DigiCert had to revoke the certificates because they were sent the private keys by Trustico which had nothing to do with future distrust dates by Google Chrome.

• DigiCert have only contacted and revoked the Certificates that match a Private Key in the file sent from Trustico, leaving another 27,000 Certificates possibly compromised.

You can read more about the events and actions by DigiCert here