Entrust Bulletin on Certificates Issued with Weak 512-bit RSA Keys by Digicert Malaysia

This bulletin is provided to clarify issues with Digicert Sdn. Bhd. (Digicert Malaysia) SSL certificates.

Digicert Sdn. Bhd. (Digicert Malaysia) is a certificate authority based in Malaysia. There is no relationship to DigiCert Inc. based in Utah, US.

Entrust has issued an intermediate CA certificate (cross certificate) to Digicert Malaysia which has been licensed for distribution with SSL and S/MIME certificates. Entrust issued the intermediate CA certificate in July of 2010.

It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards.

Digicert Malaysia has revoked all of the 512-bit certificates (twenty-two) that they issued and have made them available to major browser vendors to blacklist as they deem appropriate.

Entrust will revoke the intermediate CA certificate on or before November 8th 2011 giving Digicert Malaysia's customers a modest amount of time to replace their SSL server certificates. Entrust has made the intermediate certificate available to the browser vendors for blacklisting.

There is no evidence that the Digicert Malaysia certificate authorities have been compromised.

Entrust certificate authorities have not been affected. Entrust continues to put security of its systems and customers first and will continue to monitor its policies and security parameters to ensure the security of Entrust issued digital certificates.

Entrust believes that security companies have a duty to take action when security incidents like this occur. Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users.