Certificate Revocation and CRL

Certificate revocation is the process that invalidates an SSL certificate before its expiration date. It's an essential security measure in case of private key compromise, organization change, or simply when a certificate is no longer needed.

Two main mechanisms allow checking revocation: CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol). Understanding these mechanisms is crucial for maintaining your infrastructure security.

MoniTao monitors your certificates and helps you maintain healthy SSL infrastructure. In case of revocation need, you'll be prepared with new keys and certificates.

What is Revocation?

Understanding revocation concepts:

• Revocation vs Expiration: expiration is automatic at the planned date. Revocation is a manual action that immediately invalidates a certificate.
• CRL (Certificate Revocation List): a list signed by the CA containing all revoked certificates. Clients periodically download this list.
• OCSP (Online Certificate Status Protocol): allows checking the status of a specific certificate in real-time without downloading the entire CRL.
• Propagation delay: revocation is not instantaneous. CRLs are updated periodically and OCSP caches have a lifetime.

Reasons to Revoke a Certificate

When should you revoke a certificate:

• Compromised private key: if your private key was stolen or exposed, immediately revoke the certificate and generate a new one.
• Organization change: in case of merger, acquisition, or name change, old certificates may require revocation.
• Certificate replaced: when you replace a certificate before expiration, you can revoke the old one as a precaution.
• Error in certificate: incorrect information in the certificate (wrong domain, wrong organization) requires revocation.

How to Revoke a Certificate

Steps to revoke your certificate:

1. Prepare the replacement: before revoking, generate a new certificate to avoid any service interruption.
2. Contact your CA: log into your account at the certificate authority and find the revocation option.
3. Indicate the reason: you'll often need to specify the reason for revocation (compromise, change, etc.).
4. Confirm and install the new one: after confirmation, immediately install the new certificate on your server.

Check Revocation Status

How to check if a certificate is revoked:

# Check via OCSP
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -ocsp_uri
# Result: http://ocsp.example-ca.com

# Manual OCSP request
openssl ocsp -issuer chain.pem -cert cert.pem \
  -url http://ocsp.example-ca.com -resp_text

# Download and check the CRL
curl -O http://crl.example-ca.com/crl.pem
openssl crl -in crl.pem -text -noout

# Let's Encrypt - Revoke with Certbot
certbot revoke --cert-path /etc/letsencrypt/live/domain/cert.pem

These commands allow checking a certificate's status or revoking it via Certbot for Let's Encrypt.

Best Practices

Tips for revocation management:

• Always have a backup: before revoking, ensure you have a new certificate ready to install.
• Document keys: keep track of all your keys and certificates to be able to revoke easily when needed.
• Revoke proactively: don't leave unused old certificates lying around. Revoke them as a precaution.
• Monitor your certificates: use MoniTao to maintain an overview of all your active certificates.

Frequently Asked Questions

Prepare for Revocation

Revocation is a situation we hope to avoid but must be prepared for. A clear procedure and replacement certificates ready minimizes the impact of a compromise.

With MoniTao, maintain an overview of your certificates and be ready to react quickly if revocation is needed.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing