Distrusted Symantec® SSL Replacement

February 28, 2018

In good conscience we decided it wasn't ideal to have any active SSL Certificates on the Symantec systems, nor any that didn't meet our stringent security requirements.

Trustico® News

Symantec® Replacement & Revocation

As a reseller we follow the guidelines and agreements that both DigiCert & Symantec® had entered into with us.

We had been in contact with DigiCert several times over the past week to inform them that we no longer authorized them to hold our active SSL Certificates on their platform. We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn't ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn't meet our stringent security requirements.

Our concerns also relate to the upcoming distrust of all Symantec® SSL Certificate brands within Google Chrome.

According to the Symantec® Subscriber Agreement provided during the ordering process and within the Symantec® website, we believed that we were required as the reseller to perform a revocation request for any SSL Certificate whereby trust was questionable :

"IF YOU IS A CUSTOMER OF A RESELLER (AS DEFINED HEREIN), SUBSCRIBER REPRESENTS AND WARRANTS THAT IT AUTHORIZES SUCH RESELLER TO APPLY FOR, ACCEPT, INSTALL, MAINTAIN, RENEW, AND, IF NECESSARY, REVOKE THE CERTIFICATE ON SUBSCRIBER’S BEHALF."

At no time did we believe that we had compromised any private keys, though at the request of DigiCert we provided the Private Keys to them in order to facilitate a revocation request :

Mike Johnson of DigiCert sent an e-mail to us advising the following :

"If subscribers request revocation (and we are able to authenticate that the revocation request is truly from the subscriber, such as by the subscriber delivering the private key), we follow the revocation timelines set forth in the BRs."

Further, Jeremy Rowley of DigiCert sent an e-mail to us requesting the following :

"Can you please send a listing of the certificate serial numbers along with their private keys? Once we get that list, we’ll confirm the private key and revoke the certs as requested. Thanks!"

Trustico® followed the requests of DigiCert by initially recovering Private Keys from cold storage and subsequently e-mailing the associated order number and Private Keys to DigiCert in a ZIP file. The file did not contain any other type of data.

In our view it is absolutely critical that an SSL Certificate performs its intended function. In accordance with CAB Forum guidelines we acted to immediately revoke active SSL Certificates whereby trust was questionable.

Unfortunately things didn't go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We believed that we had acted in accordance with the agreements and information that both DigiCert and Symantec® had imposed and provided upon us.