Last updated
Type Private company
Industry Internet security, Public key infrastructure

Trustico is a dedicated SSL Certificate Provider, whose headquarters are in the United Kingdom.



The company was founded in 2006 in United Kingdom by Zane Lucas. They gradually spread around the world over the following years. The firm currently operates entirely in the selling of SSL Certificates.[ citation needed ]

On 22 June 2017 Trustico entered a Partnership with Comodo, a developer of cyber security solutions[ buzzword ] and digital certificates. [2] [3]

The company became notable in March 2018, after its CEO transferred the private keys for 23,000 HTTPS certificates via email (a non-secure protocol) to an executive at DigiCert. [4] [5] [6] [1] [7] The fact that these private keys had been stored by Trustico suggested that Trustico had been violating the baseline requirements for certificate authorities. [4]

This was followed by the disclosure of a critical security flaw – a publicly accessible root shell – in the Trustico website, after which the website was taken offline. [8] [9] The result was that thousands of Trustico customers had their security certificates revoked by DigiCert. [1]



Symantec abandonment, 2018

Following Google's statement, on 11 September 2017, to distrust Symantec's SSL Certificates for unsatisfactory security standards. [10] [11] Trustico followed suit in abandoning Symantec issued SSL Certificates. [12] [13] Trustico offered replacements to all Symantec CA Certificates issued between June 2016 and December 2017 in compensation for those affected by the abandonment. [6]

DigiCert and Trustico spat, 2018

On 2 February Trustico sent an email to DigiCert requesting the revocation of all Symantec Certificates - around 50,000 - managed by DigiCert. DigiCert, who had recently acquired Symantec's [14] [15] [16] CA business denies the request to mass-revoke the certificates. On 25 February DigiCert terminated its contract with Trustico after Trustico said it would seek a legal opinion on the matter. [17]

On 27 February DigiCert released a statement claiming they had received an email from Trustico containing over 23,000 private keys before mass emailing Trustico's customers about the security breach. [4] [17]

See also

Related Research Articles

Public key infrastructure

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

Public key certificate Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

X.509 Standard defining the format of public key certificates

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

Verisign American Internet company

Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code top-level domains, and the back-end systems for the .jobs, .gov, and .edu top-level domains. Verisign also offers a range of security services, including managed DNS, distributed denial-of-service (DDoS) attack mitigation and cyber-threat reporting.

NortonLifeLock American software company

NortonLifeLock Inc., formerly known as Symantec Corporation is an American software company headquartered in Tempe, Arizona, United States. The company provides cybersecurity software and services. NortonLifeLock is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium, to become one of the largest information security firms in the world. It was acquired by Verizon Business in 2007. In 2015, the CyberTrust root certificates were acquired by DigiCert, Inc., a leading global Certificate Authority (CA) and provider of trusted identity and authentication services.

Thawte Consulting is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share.

Comodo Security Solutions, Inc. is a cybersecurity company headquartered in Clifton, New Jersey in the United States.

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to utilize the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

Extended Validation Certificate

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

GlobalSign is a WebTrust-certified certificate authority (CAs) and provider of Identity Services. As of January 2015, Globalsign was the 4th largest certificate authority in the world according to the Netcraft survey.

DigiCert, Inc. is an American technology company focused on digital security and headquartered in Lehi, Utah, with offices in Australia, Ireland, Japan, India, South Africa, Switzerland and United Kingdom. As a certificate authority (CA) and trusted third party, DigiCert provides the public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates. These certificates are used to verify and authenticate the identities of organizations and domains and to protect the privacy and data integrity of users’ digital interactions with web browsers, email clients, documents, software programs, apps, networks and connected IoT devices.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, People's Republic of China, that had three main activities: StartCom Linux Enterprise, StartSSL and MediaHost. StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain. Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016 and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems. That same month, the company was declared bankrupt.

Certificate Authority Security Council

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.


  1. 1 2 3 4 "23,000 HTTPS certs will be axed in next 24 hours after private keys leak". The Register. Retrieved 11 September 2018.
  2. "Comodo and Trustico Team Up in Strategic Worldwide Partnership". Retrieved 2018-09-24.
  3. "Strategic global partnership announced between Comodo and Trustico - News @". News @ 2017-06-23. Retrieved 2018-09-24.
  4. 1 2 3 "23,000 HTTPS certificates axed after CEO emails private keys". 2018.
  5. Whittaker, Zack. "Trustico compromises own customers' HTTPS private keys in spat with partner".
  6. 1 2 "23,000 Digital Certificates Revoked in DigiCert-Trustico Spat - SecurityWeek.Com".
  7. "How not to run a CA - Hacker News".
  8. "Trustico website goes dark after someone drops critical flaw on Twitter". 2018.
  9. "HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed".
  10. "Chrome's Plan to Distrust Symantec Certificates". Google Online Security Blog. Retrieved 2018-09-24.
  11. "Google distrust of Symantec SSL certificates. Why is it important?". Hacker Noon. 2018-04-16. Retrieved 2018-09-24.
  12. "Trustico abandons Symantec SSL certificates -". Enterprise Times. 2018-02-19. Retrieved 2018-09-24.
  13. "Trustico® Abandons Symantec® SSL Certificates" . Retrieved 2018-09-24.
  14. "Distrust of the Symantec PKI: Immediate action needed by site operators". Google Online Security Blog. Retrieved 2018-09-24.
  15. "Symantec to sell SSL certificate and PKI business to DigiCert". Comodo News and Internet Security Information. 2017-08-03. Retrieved 2018-09-24.
  16. "Symantec Sells SSL Business to DigiCert for $950M in Cash and 30% Shares". BleepingComputer. Retrieved 2018-09-24.
  17. 1 2 "23,000 Users Lose SSL Certificates in Trustico-DigiCert Spat". BleepingComputer. Retrieved 2018-09-24.