The company also claims to have implemented two additional verification procedures to prevent similar situations from happening in the future, one for checking various certificate characteristics during the certificate issuing process and one for checking already issued certificates before they are sent to customers.
One of the mis-issued sub-CA certificates had been revoked at the customer's request before being used, Turktrust said. The other was used on a Microsoft IIS (Internet Information Services) server that operated as a Web mail server for over a year, it said.
However, on Dec. 6 someone installed the Web mail sub-CA certificate and its corresponding private key in a firewall appliance manufactured by Check Point that was configured to run as a man-in-the-middle proxy, Turktrust said. That same day, the firewall used it to generate a fraudulent certificate for *.google.com.
"It appears that the firewall automatically generates MITM certificates once a CA cert is installed," Turktrust said.
The CA did not name the customers that received the two intermediate CA certificates, but according to a Microsoft security advisory published Thursday, they were issued for e-islem.kktcmerkezbankasi.org, a domain that belongs to the Central Bank of the Turkish Republic of Northern Cyprus and *.EGO.GOV.TR, the domain of the EGO General Directorate, an agency of the Municipality of Ankara that provides public services related to electricity, gas and transportation.
The unauthorized *.google.com certificate appears to have been issued using the *.EGO.GOV.TR sub-CA certificate.
According to documentation published on Check Point's website, some of its gateway security products do have HTTPS inspection capabilities. By default this feature uses a self-signed CA certificate that needs to be deployed on the network computers before it can be used to inspect HTTPS traffic without triggering certificate warnings in browsers.
However, the feature also allows customers to import their own CA certificate, which is what happened with the *.EGO.GOV.TR sub-CA certificate.
"The available data strongly suggests that the *.google.com cert was not issued for dishonest purposes or has not been used for such a purpose," Turktrust said. The company also stressed that there is no evidence of a security breach on its systems.