Certificate Authority Revoked due to IT Security Policies

DigiCert Sdn Bhd Intermediate Certificate Authority was revoked by its root CA, Entrust Inc due to the reason of certain IT Security Policies where they had detected that certificates with weak keys were issued. Thanks to the comment from Travis Tidball, I would like to clarify that DigiCert Sdn Bhd (Malaysia) is not affiliated with DigiCert Inc (USA) so that I will not mislead you to think that DigiCert Inc is also affected.

According to Entrust Inc, 22 certificates with weak keys we issued although there was no indication that the were issued fraudulently. Those certificates are using a 512KB RSA key where it does not complaint to the CPS which is not accepted by the CA standards.

DigiCert Sdn Bhd

Credit: Cybertopia's World

Image link

In addition to that, the subordinate CA itself found some technical difficulty where there was a lack of Extended Key Usage (EKU) information which specify their usage and also had been issued without revocation information.

CA business today has become more strict after the lessons learned from DigiNotar bankruptcy issue. As it could impact the future CA business of Entrust, they had decided to revoke the DigiCert intermediate certificate authority.

Based on the latest update from Naked Security, two of the weak certificates were used to sign Malware used in a spear phishing attack against another Asian certificate authority. That specific CA were able to raise the issue after noticing the attack. Three other certificate authorities were also attacked but they were not issued by DigiCert CA.

It is extremely important when we come to talk about auditing a CA in the IT Security Policies. Although DigiCert CA managed to pass the audit to Malaysian Government by a large global auditing firm, but still it somehow not compliance.

Build Your Own Security
Subscribe to my newsletter and get a copy of my eBook for free.
We hate spam just as much as you

Related posts:

  1. GlobalSign CA Stopped SSL Business, More CA Compromised
  2. More Bad News on DigiNotar's Hack
  3. Certificate Authority Hacked, Google Faced MiTM Attack
About Alan Tay

This blog is owned and operated by myMediaInc. My Media operates content based online portals for IT professionals, technology managers and decision makers as well as business leaders. We publish original quality content focused in Software Development, IT Security, SaaS, Cloud Computing, Outsourcing, Project Management and Mobile and Wireless. Our mission is to explore how to help you optimize your resources in each of these areas.

Find us here IT Security Column.


  1. Just to clarify, Digicert Sdn Bhd (Malaysia) is not affiliated with the DigiCert, Inc., which is a well known Certificate Authority that is based in the United States and signs certificates for nearly 50,000 organizations worldwide.

Speak Your Mind


CommentLuv badge

This blog uses premium CommentLuv which allows you to put your keywords with your name if you have had 3 approved comments. Use your real name and then @ your keywords (maximum of 3)