SyTrust Browsercheck

just imagine you find your webservers private key - now known to everyone-in the internet, and everyone knows it now:

-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMi+HDRfeluttOmV1Jrr4uiCyWEEfWvhzl2/oo
d2mraserbEBml0qAoY0y/M6RbC6m26g1mL8CAwEAAQJAEi9
YjLe7WQLvKczG7kNj2MNn2X3dqD2Iyt8I5PjMAHGE7Rhd0op
yQIhAPjSTefaem/rXgRTjNb4EWYfkx1ptZkOh6P2rThziJ4zAiE
vJFQH6zeFr/r3gQ3KmEkbIvDUVoCN0UCIBMEd+Hdp/f/5Equ
LCPTCcBDzFBTAiEAoWFwVPtF/fgHa5y8F9QSwYH7gsKWfHXl
tx3idyKIBy63te1ziOZLAbfMFYYC7TE/5BPcVx8Q
-----END RSA PRIVATE KEY-----

No problem - one can declare the associated certificate invalid! 

For demnostration purpose we have closed the associated certificate with our private key. The certificate is a so called ServerPass certificate, issued by TrustCenter Telesec (Deutsche Telekom) and has the serial n 0663 ( certificate).

The up to date revocation list issued by the TrustCenter clearly states the invalidity of the Certificate with the number 0663 ( revocation list). You are also able to confirm the online validation on www.openvalidation.org (online validate certificate 0663, Popup-Validation).

If you enter a page on which there is a revoked certificate in use, your browser should warn you. A hacker could have taken this pages identity in order to pretend he is the owner of this page.

click here and you will get to a SSL Page with a revoked key!

Besides: The choice of the TrustCenter and/or the certification body does not have any influence on this test. This check could have been carried out equally with server certificates of Verisign, Thawte or others.