There was so much more to this hack then what is described in this article. Google for Foxit, Diginotar and Black Tulip for the complete report. It is interesting to read how the intruders navigated the separate networks and got full RDP access to the 8 CA generator servers in the secure room.
On one side, the CA certificate network forces a different kind of trust than SSH certificates. With a CA cert, you trust the browser company, and (sometimes) distrust the host. With SSH, the choice is only whether or not you trust the host.
(Please note Windows uses a similar cert for RDP, with the same options to trust once, trust forever, or disconnect immediately.)
Certificate Transparency is almost a type of blockchain, where what's stored is a website's decryption key.
Minor nitpick/correction: certificates are public keys, not decryption keys. Also you can only encrypt with a public key and decrypt with a private key or sign with a private key and verify with a public key. In general the CA PKI is mainly for endpoint (mainly server) authentication, actual encryption typically uses symmetric keys.
In Windows, one can use a certificate signed by the internal enterprise CA for RDP. This means that if one trusts the enterprise CA (which is the case within an enterprise), all internal RDP connections are immediately verified without prompts.
