Site icon SSL.com

Digital Certificate Revocation

What is digital certificate revocation?

[toc]

Digital certificate revocation is the process of invalidating a digital certificate before its natural expiration date. This is typically done when the certificate can no longer be trusted to provide secure communications.

Why it matters: Revocation helps maintain the overall security of the PKI ecosystem by ensuring that compromised or outdated certificates are not used for secure communications.

Why revoke a certificate?

There are several reasons why a certificate might need to be revoked:

  1. Compromised private key: If the private key associated with the certificate has been stolen or accessed by unauthorized parties, the certificate must be revoked immediately to prevent potential misuse.
  2. Change in certificate information: If there are significant changes to the information in the certificate (e.g., company name change, domain name change), the certificate should be revoked and a new one issued with the updated information.
  3. Cessation of operations: If the organization or entity that owns the certificate ceases operations or no longer requires the certificate, it should be revoked.
  4. Superseded by a new certificate: In some cases, a new certificate may be issued to replace an existing one before its expiration. The old certificate should be revoked to maintain clarity and prevent potential conflicts.
  5. Mis-issuance: If a certificate was issued in error or without proper validation, it should be revoked to maintain the integrity of the CA’s operations.

Example scenario: A company discovers that an employee with access to their private key has left the organization under unfavorable circumstances. To ensure the security of their communications, they should immediately revoke the current certificate and issue a new one with a fresh private key.

How to check if a certificate is revoked?

There are two primary methods for checking the revocation status of a certificate:

1. Certificate Revocation List (CRL):

2. Online Certificate Status Protocol (OCSP):

How to perform a check:

For CRL:

  1. Locate the CRL distribution point in the certificate (usually in the “CRL Distribution Points” extension).
  2. Download the CRL from the specified URL.
  3. Check if the certificate’s serial number is listed in the CRL.

For OCSP:

  1. Find the OCSP responder URL in the certificate (typically in the “Authority Information Access” extension).
  2. Send an OCSP request to the responder with the certificate’s information.
  3. Receive and interpret the OCSP response.

Many operating systems and browsers perform these checks automatically when encountering a certificate.

Who can revoke a certificate?

Typically, two entities can revoke a digital certificate:

1. Certificate Authority (CA):

2. Certificate Owner:

Process for certificate owners:

  1. Log into the CA’s certificate management portal.
  2. Locate the certificate to be revoked.
  3. Select the revocation option and provide a reason.
  4. Confirm the revocation request.
  5. The CA processes the request and updates its revocation lists.
  6. It’s crucial to have proper authentication and authorization mechanisms in place to ensure that only legitimate requests for revocation are processed.

What happens after revocation?

Once a certificate is revoked, several things occur:

1. Certificate becomes invalid:

2. Systems should reject the certificate:

3. Revocation information is published:

4. Potential service disruption:

5. Security alerts:

Best practices after revocation:

  1. Immediately remove the revoked certificate from all systems and applications.
  2. Install a new, valid certificate as soon as possible to restore secure communications.
  3. Investigate the reason for revocation and take appropriate security measures (e.g., changing compromised passwords, updating systems).
  4. Review and update certificate management processes to prevent similar issues in the future.

Conclusion

Understanding certificate revocation is crucial for maintaining a secure digital environment. By promptly revoking compromised or outdated certificates and properly checking revocation status, organizations can significantly enhance their cybersecurity posture and protect sensitive communications.

Remember that certificate management, including revocation, is an ongoing process. Regular audits, transparent policies, and automated tools can help ensure that your digital certificates remain valid, trusted, and secure.


For more information on OCSP stapling and how to implement it on your servers, please read our article, Page Load Optimization: OCSP Stapling. For examples of browser error messages resulting from revoked certificates, please refer to this guide. You can check a certificate’s revocation status at certificate.revocationcheck.com. And, of course, if you have questions about OCSP or any other topic related to PKI and digital certificates, please contact us by email at Support@SSL.com, call 1-SSL-SECURE, or simply click the chat button at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase. And, as always, thank you for choosing SSL.com!
Exit mobile version