public-key certificates pki
Updated Sat, 16 Jul 2022 02:28:56 GMT

What happens when a root CA has its private key compromised?

What happens when a root CA has its private key compromised? Then all children in the tree are compromised too? And then all certificates are compromised? What needs to happen then?

- How can we get CA's public key?
- I've got my private key compromised. How does CRL work?
- What happens when a root CA has its private key compromised?


A lot of sleepless nights for the CA, their customers, web browser and OS developers, and Slashdot users, that's what.

I don't know if a CA has ever had their private keys compromised, but there have been incidents where their systems were broken into and fraudulent certificates were issued. (There's a difference between a private key actually being taken, and an attacker just being able to feed bogus certificates into the system and get them falsely signed -- though both are quite bad enough.)

In 2011, a reseller for Comodo (later renamed to Sectigo, and still one of the largest CAs in existence) was compromised and used to issue several fraudulent certificates for and other major domains. Comodo quickly revoked the certificates and disabled the reseller's account, and as a bonus (since online OCSP and CRL checks can be blocked) web browsers and OSes released updates specifically banning those certs.

Comodo was "encouraged" to be more careful -- indeed, another reseller account was compromised less than two weeks later but the attacker was unable to accomplish anything with it -- but their roots were not revoked and they suffered no major consequences. (The reseller is still around, too.) There was a great deal of handwringing around the Internet about whether this was an appropriate response to a limited breach or whether Comodo had made an unforgivable mistake but received "too big to fail" special treatment.

Later in 2011 (bad year), a CA called DigiNotar was compromised, and hundreds of fake certificates were issued, for Google and all sorts of other domains (again). When web browser and OS companies were eventually informed, they revoked DigiNotar's roots from their certificate stores -- defanging the fraudulent certs but breaking many (largely Dutch) websites in the process.

DigiNotar avoided informing anyone of the incident for more than a month, and were unable to produce a complete list of fraudulent certs. Mozilla, for one, lost confidence in them, and DigiNotar was bankrupt in weeks.

Comments (1)

  • +0That's also related. No key conpromise, but shows how to obtain an intermediate CA certificate when using weak hash functions for certificate signing. — Nov 16, 2013 at 15:24