This is due to a security breach in a firm called Trustico. Trustico, is the certificate issuer for digicert based in the UK. This is going to be a landmark move that is going to definitely going to affect the Certificate Authority industry in the months to follow. This incident took place when Digicert asked to revoke certificates over a security issue that lead to Trustico selling directly to customers.
At that point the general manager for trustico had denied that the company had faced any security incident.
The events unfolded as such: – On 2nd Feb an email was sent to Trustico to cancel all of the fifty thousand certificates managed. This lead to Trustico dropping out of contract with Symantec (part of Digicert) and moving to partner with Comodo.
Digicert denied the request to cancel the fifty thousand certificates claiming that the industry rules do not show precedence. It was only when Trustico claimed to take legal action that this was moved ahead. Digicert ended the contract on the 25th of February, 2018 with Trustico that was confirmed on twitter by a Digicert employee.
As far as the actual certificates go, Digicert’s stance is that they will mass-revoke the certificates if the evidence proves that they were indeed compromised during the time the customers’ private keys were also affected. On the 27th of December Digicert received and email containing over twenty three thousand private keys from Trustico. In light of certificate authority rules the affected/compromised certificate needs to be terminated within twenty four hours of incident.
Digicert has sent over twenty three thousand emails to customers warning them about the impending termination of their certificates. This has raised suspicion that has several cyber security gurus publicly accusing Trustico of allegedly loggin copies of SSL certificate private keys. It is clearly stated that the companies are not supposed to have copies of private keys as per certificate authority rules.
