What happened
TrustAsia revoked 143 certificates following LiteSSL ACME service vulnerability after discovering a logic error that allowed improper reuse of domain validation data across different ACME accounts. The report said TrustAsia suspended issuance services and revoked 143 SSL/TLS certificates issued via ACME after December 29, 2025, and referenced tracking under Mozilla Bugzilla ticket #2011713 following a community report received January 21, 2026. The stated root cause involved how the LiteSSL ACME service handled Authorization objects, enabling authorization reuse in a way that bypassed the requirement for unique validation per account context. TrustAsia stated its architecture maintains a one-to-one mapping between ACME accounts and EABs, and said affected certificates were revoked and the service was patched and restored. The report also noted ACME authorizations in production were reset to a revoked status to prevent reuse.
Who is affected
Organizations that obtained certificates from TrustAsia via LiteSSL ACME after December 29, 2025 are directly affected due to certificate revocation and potential service disruption. Indirectly affected parties include customers and users of impacted websites or services if revoked certificates are not replaced promptly.
Why CISOs should care
Certificate revocations can create sudden outages, break TLS-dependent integrations, and increase incident workload across distributed systems. Authorization reuse flaws also raise trust and compliance concerns because validation boundaries are foundational to PKI security and can undermine assurance if misapplied.
3 practical actions
- Identify and replace revoked certificates: Inventory certificates issued by TrustAsia via ACME in the affected window and rotate any revoked/impacted certs immediately.
- Improve certificate lifecycle monitoring: Ensure revocation checking, expiry alerts, and automated reissuance workflows are operational across all internet-facing services.
- Reassess CA and ACME risk controls: Validate CA vendor governance, audit expectations, and ACME account segmentation to reduce systemic PKI exposure.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.