Certigna Says Exposed SSL Certificate Private Key Was Useless

A French provider of SSL certificates has denied publishing its private key for the world to see, and opening up a potentially serious security hole in the world's web browsers.

SSL certificates serve two purposes on the Internet: to encrypt information, and to verify a webserver's identity. An SSL certificate is what is used to keep the password you log in to your Internet banking site private, and also serves to ensure that you're genuinely logging in to the bank's own server.

This latter function requires that certificate providers don't issue certificates willy-nilly, instead verifying that the person requesting the certificate has some control over the domain in question. This can be as difficult as a long-winded meetings with business executives, and as simple as placing a secret file somewhere on the web server.

To prevent random users from generating their own trusted certificates, each SSL certificate provider has a 'private key.' This is a piece of code which is kept completely secret, and which is used to sign each issued SSL certificate to validate that it has been issued by a trusted authority. These keys are usually closely guarded, as any certificate signed by the key from a trusted authority will be implicitly trusted by a web browser without display any warning messages.

French SSL specialist Certigna appeared to have failed to keep its secret under lock and key yesterday according to some reports. A visit to the site's revocation list page - which is fully publicly accessible via a standard web browser - seemingly allowed anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates.

Certigna has now issued a response claiming that the file represented a 'test' certificate that had long since expired. "The private key available on the server corresponds to a test certificate used on our website certigna.fr," the company claimed. "It is impossible to generate new valid user certificates from this key. Moreover, it is encrypted and is an SSL certificate expired since July 2010. This key does not affect our infrastructure security. The Certigna SSL authority’s private key is stored in HSM (Hardware Security Module) and hence can never be recovered. This useless file has been removed."