I recently did an investigation where I tried to simply download private
keys from web servers with common filenames. I collected these
filenames simply from common tutorials on the web (server.key,
privatekey.key, myserver.key, key.pem and [hostname].key with and
In several cases I was able to download private keys belonging to
currently valid certificates.
I wrote about this today for the German news site Golem.de (with an
english translation available):
In the course of this I also learned quite a bit about the revocation
process. According to the baseline requirements a CA shall revoke keys
within 24 hours in case of a key compromise.
Some notes about my experiences:
* All certificates I reported are revoked now.
* In several cases the deadline wasn't hit and CAs took longer. Some
took over 4 days. In one case (Gandi) I learned that it's a branded
CA from Comodo. Comodo immediately revoked the cert after they
learned about it, but this raises interesting questions about the
responsibilities of branded CAs.
* The reporting process is wildly different. Some CAs provide email
addresses, others online forms, Symantec has forms with captchas. In
the April CA communications  mozilla announced that it wants to
compile a list of contact methods and has asked CAs for them. I would
encourage streamlining that process. I also think revocation should
be automatable (at least on the side of the reporter) and wonder
whether things like forms with captchas should be outruled.
Particularly interesting is Let's Encrypt that provides an API via
ACME to revoke if you posess the private key. IMHO that's ideal.
* Comodo re-issued certs with the same key. I wonder if there should be
a rule that once a key compromise event is known to the CA it must
make sure this key is blacklisted. (Or maybe one of the existing
rules already apply, I don't know.)
I had opened a private bug in mozillas bugtracker which contains some
more info and lists of the specific certificates. It's up to mozilla
when they'll open it, but from my side I think this can go public.