Yes, this really happened…
Earlier this year in Feburary, the CEO of Trustico, a vendor that re-sells TLS certificates issued by Comodo and Symantec, caused quite a stir when it was revealed that he emailed 23,000 private keys to DigiCert executive vice president Jeremy Rowley. The email requested that 50,000 certificates that Trustico re-sold should be revoked because the certificates’ security had been compromised. DigiCert responded by asking for evidence of compromised keys in order to revoke. Trustico responded by sending an email with a file that contained 23k private keys matching specific Trustico customers. Sharing the private keys via email prompted DigiCert to revoke them making their further use unsafe.
The whole situation is troubling. The first question to be asked is, why would Trustico want them revoked? The second question, why did Trustico keep customers’ private keys and did not destroy them immediately after providing their customers the certificates in a secure manner? And even if they maintained them, how were they able to be emailed? The fact that the CEO had access to the private keys is even more troubling, raising the question of proper data safeguarding, meeting CA/Browser Forum directives and common cyber security best practices.
- The customers genuinely believed that proper safeguards would be placed on their private keys. Therefore, their trust was betrayed.
- The Internet was not originally designed with security in mind. In order for individuals to use the Internet to perform all kinds of transactions such as online banking, eCommerce, transfer personal or sensitive information, etc., the Internet needs to be secure. Digital certificates are an electronic “password” that allows a person or organizations to exchange data securely over the Internet.
- Certificates are necessary to form an encrypted connection between your browser and the website you’re visiting so that sensitive info you might share with the website can pass through the encrypted connection. If CAs, or resellers, cannot sell digital certificates that can be trusted, then the entire internet which is based on HTTPS isn’t safe.
- If your private key is out there in the open, it could be used to create unauthorized, fake certificates, compromising security and severely damaging company reputation.
In light of Trustico’s major “booboo”, this is the perfect opportunity to review best practices in generating a digital certificate and how to avoid having your private keys compromised. When a website wants to get a certificate, the following process is used:
- You generate a private/public keypair, and a “certificate signing request” (CSR). A CSR is a block of encoded text that is given to the Certificate Authority when applying for an TLS certificate.
- The CSR is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name/domain name, locality and country, as well as the public key that was generated.
- The certificate authority will use a CSR to create the TLS certificate, but does not need the private key to do so. The private key should remain secret. The certificate created with a particular CSR will only work with the privatekey that was generated with it. If you lose the private key, your digital certificate is no longer valid, and therefore your website cannot be trusted to perform trust-contingent transactions.
The right way to generate a public/private keypair is on the target system where they’ll be used. Ideally using an HSM or vHSM to protect the private key. We urge you to check your certificates, and if you obtained them from a third party, verify what kind of safeguards, directives and best practices they adhere to. Private keys are extremely sensitive, and require proper handling. If you are in control of your private keys, then no one else can compromise their security, full stop.