Education Center

What is Certificate Revocation and when should I do it?

Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.

2022 Ponemon Report: The State of Certificate Lifecycle Management in Global Organizations

Certificates that are revoked are stored on a list by the CA, called the Certificate Revocation List(CRL). When a client attempts to initiate a connection with a server, it checks for problems in the certificate, and part of this check is to ensure that the certificate is not on the CRL. The CRL contains the certificates’ serial number and the revocation time.

CRLs may be exhaustive, and the client that conducts the check has to parse the whole list to find (or not find) the requested site’s certificate. This results in a lot of overhead, and sometimes, a certificate could be revoked within that interval. In such a scenario the client might unknowingly accept the revoked certificate.

A more recent and sophisticated method of detecting revoked certificates is the Online Certificate Status Protocol (OCSP). Here, instead of downloading and parsing the entire CRL, the client can send the certificate in question to the CA. The CA then returns the status of the certificate as “good,” “revoked,” or “unknown.” This method involves far less overhead than CRL and is also more reliable.

Let’s get you started on your certificate automation journey