The website of Trustico, a UK-based SSL certificate reseller, has gone offline following a spat with certificate issuer DigiCert over more than 20,000 compromised certs.
The reseller accused US-based DigiCert, which acquired Symantec’s SSL certificate division in August last year for US$950 million, of sending out an “unauthorised” email advising customers of their certificates being revoked; DigiCert accused Trustico of sending highly confidential private keys over email.
The clash is a complicated mess between the two providers, with the decision to revoke the certificates seemingly triggered after Trustico apparently emailed more than 20,000 private keys to DigiCert as way of providing evidence they had been compromised.
The affected users included Australian IT firms, who forwarded the email to CRN and posted about the issue online.
Trustico on 28 February sent users an email that it was no longer offering Symantec, GeoTrust, RapidSSL and Thawte branded SSL certificates. "Unfortunately, Google Chrome has decided to distrust these SSL certificates."
"Recently DigiCert acquired the Symantec SSL certificate division and subsequently an e-mail was sent by DigiCert to some of our SSL certificate customers advising of the revocation of their distrusted SSL certificate. We didn't authorise this e-mail to be sent and had specifically disabled it within the DigiCert system."
The problems worsened when Trustico, which has an Australian office in Bundall, Queensland, contacted DigiCert to request that certain certificates be revoked, claiming they were compromised.
"Trustico did not provide proof of compromise, so we suggested a couple of ways to demonstrate that by either confirming control over the private key or confirming the domain holder’s confirmation of the revocation request," according to an email sent by DigiCert support to customers.
"Trustico told us that they held the private keys. We asked them to confirm this. When they sent the private keys, it immediately initiated a 24-hour period for revocation of your certificate, and thousands of others, as required by the CA/Browser Forum Baseline Requirements.
"We don't know why or how Trustico had the private key to your certificate, yet once it was emailed to us your certificate was compromised," continued to DigiCert email.
"To be clear: the compromise occurred when Trustico, the company from which you purchased the certificate, sent DigiCert, the Certificate Authority, your private key.
"This revocation is not related to the upcoming Google Chrome distrust of Symantec-issued certificates; we have been and will continue to work diligently to reissue those affected certificates and ensure that our customers avoid any disruption."