Trustico
Trustico was a certificate authority (CA) reseller, primarily known for its controversial relationship with DigiCert and the events leading to the revocation of thousands of SSL/TLS certificates in 2018. Trustico did not operate its own root certificate authority; instead, it resold certificates issued by established CAs like DigiCert and Comodo (now Sectigo).
The company was based in Australia and primarily focused on providing SSL certificates to its customers. Trustico ceased operating as a CA reseller following the 2018 certificate revocation event and subsequent actions taken against it by DigiCert.
Key Events & Controversy:
The central controversy surrounding Trustico stemmed from an incident where it reportedly shared private keys for thousands of its customers' SSL certificates with DigiCert in an attempt to seek technical support related to a mass certificate reissuance. This violated industry best practices and the terms of its agreement with DigiCert, as private keys are meant to be kept secret by the certificate owner.
DigiCert, upon learning of this security breach, took the unprecedented step of revoking a large number of certificates sold by Trustico, citing security concerns and the potential for misuse of the compromised private keys. This mass revocation caused significant disruption for websites and services using the affected certificates, requiring them to replace their certificates immediately.
Following the revocation, Trustico filed legal action against DigiCert, alleging anti-competitive behavior. However, DigiCert defended its actions by highlighting Trustico's security lapse and the necessity of protecting internet users.
Impact:
The Trustico incident served as a stark reminder of the importance of maintaining the confidentiality of private keys and adhering to established security protocols within the SSL/TLS certificate ecosystem. It also highlighted the potential consequences for resellers who fail to safeguard customer data and the authority that root CAs hold in maintaining trust on the internet. The revocation significantly impacted Trustico's business, effectively ending its operations as a certificate reseller. The incident also led to increased scrutiny of CA reseller practices and a renewed emphasis on secure key management.