Story so far
3 weeks ago, Trustico Director (Zane Lucas) attempted to revoke 50,000 Symantec issued certificates without notification or approval from its customers. To force the issue, Trustico compromised its customers by sending over 23,000 private keys to Symantec (now Digicert) in a Zip via email. Digicert then had no other choice but to revoke potentially compromised customer certificates within 24 hours.
The whole issue steamed from Googles distrust over Symantec, which would have meant certificate warnings for Chrome, and by extension, Mozilla users too. Trustico new partnership with Comodo, meant that this was the perfect opportunity to force customers onto their new platform. Instead of a polite warning, the revocation led to inaccessible web sites, VPN connections, federation services, devices and security systems. For some, the impact was minor. Having no access to a company web site may not be critical. For others, the financial losses are more significant, with loss of sales or staff unable to work from home during a period of snow in the UK, not to mention the cost of engineer resources to resolve these issues. One customer noted that the resulting loss of their security system for nearly 36 hours, put lives at risk, and resulted in heavy fines.
Trustico issued invalid voucher codes to customers in a feeble attempt to resolve the issue. But overwhelmed with obvious customer backlash, resulted in Trustico going dark (turning off chat facilities and leaving a voicemail for those seeking support). This left customers with no other option but to go to other resellers.
Zane released a statement today to set the record straight, and win back some more loyal clients by focusing on its previous 15-year relationship with its customers and quality of service. Zane freely admits to providing private keys (although not all 23,000) and using Googles distrust as a valid (or lets face it invalid) reason to revoke customer certificates. Zanes statement tries to convey that Trustico is just as much a victim of this incident, by stating that they have been misrepresented by Digicert. Zane continued to blame recipient mail servers for rejecting notifications of Trusticos intentions, prior to revoking customer certificates without consent.
The lesson here is to not put faith in 3rd party companies such as Trustico to maintain your private keys. It is a straightforward process to generate certificates on your own internal systems (such as IIS Management Console). But lets face it, would you put any faith in Trustico at all? Decide for yourselves.
The latest statement from Zane can be found at: https://www.trustico.com/news/2018/digicert-symantec-statement/set-the-record-straight.php