Digital Certificate Revocation

SSL Support Team

3 weeks ago

What is digital certificate revocation?

[toc]

Digital certificate revocation is the process of invalidating a digital certificate before its natural expiration date. This is typically done when the certificate can no longer be trusted to provide secure communications.

Why it matters: Revocation helps maintain the overall security of the PKI ecosystem by ensuring that compromised or outdated certificates are not used for secure communications.

Why revoke a certificate?

There are several reasons why a certificate might need to be revoked:

Compromised private key: If the private key associated with the certificate has been stolen or accessed by unauthorized parties, the certificate must be revoked immediately to prevent potential misuse.
Change in certificate information: If there are significant changes to the information in the certificate (e.g., company name change, domain name change), the certificate should be revoked and a new one issued with the updated information.
Cessation of operations: If the organization or entity that owns the certificate ceases operations or no longer requires the certificate, it should be revoked.
Superseded by a new certificate: In some cases, a new certificate may be issued to replace an existing one before its expiration. The old certificate should be revoked to maintain clarity and prevent potential conflicts.
Mis-issuance: If a certificate was issued in error or without proper validation, it should be revoked to maintain the integrity of the CA’s operations.

Example scenario: A company discovers that an employee with access to their private key has left the organization under unfavorable circumstances. To ensure the security of their communications, they should immediately revoke the current certificate and issue a new one with a fresh private key.

How to check if a certificate is revoked?

There are two primary methods for checking the revocation status of a certificate:

1. Certificate Revocation List (CRL):

A CRL is a list of revoked certificates maintained by the Certificate Authority (CA).
Clients download the CRL periodically and check it against the certificate in question.
Pros: Can be cached locally, reducing network traffic.
Cons: May not be up-to-date between updates, can become large and unwieldy.

2. Online Certificate Status Protocol (OCSP):

OCSP allows real-time certificate status checks.
Clients send a request to an OCSP responder to verify a specific certificate’s status.
Pros: Provides real-time status, more efficient than downloading entire CRLs.
Cons: Requires network connectivity for each check, potential privacy concerns.

How to perform a check:

For CRL:

Locate the CRL distribution point in the certificate (usually in the “CRL Distribution Points” extension).
Download the CRL from the specified URL.
Check if the certificate’s serial number is listed in the CRL.

For OCSP:

Find the OCSP responder URL in the certificate (typically in the “Authority Information Access” extension).
Send an OCSP request to the responder with the certificate’s information.
Receive and interpret the OCSP response.

Many operating systems and browsers perform these checks automatically when encountering a certificate.

Who can revoke a certificate?

Typically, two entities can revoke a digital certificate:

1. Certificate Authority (CA):

The CA that issued the certificate has the authority to revoke it.
CAs may revoke certificates for various reasons, including suspected compromise, policy violations, or at the request of the certificate owner.

2. Certificate Owner:

The organization or individual to whom the certificate was issued can request revocation.
This is usually done through a portal or interface provided by the CA.

Process for certificate owners:

Log into the CA’s certificate management portal.
Locate the certificate to be revoked.
Select the revocation option and provide a reason.
Confirm the revocation request.
The CA processes the request and updates its revocation lists.
It’s crucial to have proper authentication and authorization mechanisms in place to ensure that only legitimate requests for revocation are processed.

What happens after revocation?

Once a certificate is revoked, several things occur:

1. Certificate becomes invalid:

The certificate is no longer considered trustworthy for secure communications.
It should not be used for encryption, digital signatures, or authentication purposes.

2. Systems should reject the certificate:

Properly configured systems and applications will check the revocation status and reject revoked certificates.
This prevents the establishment of secure connections using the compromised or invalid certificate.

3. Revocation information is published:

The CA updates its Certificate Revocation List (CRL) to include the revoked certificate.
OCSP responders are updated to report the revoked status when queried.

4. Potential service disruption:

Services using the revoked certificate may become unavailable until a new certificate is installed.
It’s important to have a plan to quickly replace revoked certificates to minimize downtime.

5. Security alerts:

Some systems may generate alerts when they detect the use of a revoked certificate.
These alerts can help administrators identify and address potential security issues.

Best practices after revocation:

Immediately remove the revoked certificate from all systems and applications.
Install a new, valid certificate as soon as possible to restore secure communications.
Investigate the reason for revocation and take appropriate security measures (e.g., changing compromised passwords, updating systems).
Review and update certificate management processes to prevent similar issues in the future.

Conclusion

Understanding certificate revocation is crucial for maintaining a secure digital environment. By promptly revoking compromised or outdated certificates and properly checking revocation status, organizations can significantly enhance their cybersecurity posture and protect sensitive communications.

Remember that certificate management, including revocation, is an ongoing process. Regular audits, transparent policies, and automated tools can help ensure that your digital certificates remain valid, trusted, and secure.

For more information on OCSP stapling and how to implement it on your servers, please read our article, Page Load Optimization: OCSP Stapling. For examples of browser error messages resulting from revoked certificates, please refer to this guide. You can check a certificate’s revocation status at certificate.revocationcheck.com. And, of course, if you have questions about OCSP or any other topic related to PKI and digital certificates, please contact us by email at Support@SSL.com, call 1-SSL-SECURE, or simply click the chat button at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase. And, as always, thank you for choosing SSL.com!