I'm 100% sure they do, but if you're careful when setting p your SSL/TLS keys, verisign (or any other CA) never sees your private keys, they just sign your CSR. If the FBI had wanted to, they could have seized the servers, and either broken into them and replaced the private key with their own, or replaced the servers with ones they'd built with their own ssl key pairs. But, as the article points out - what they were trying _very_ hard to get was complete infiltration of the entire Lavanit operation without any of the 400,000 paying customers of the supposedly secure email provider knowing about it. Kudos to Levinson for not allowing that to happen, to his great personal cost. (I doubt I'd have the courage to do the same)