What is certificate revocation & when should an SSL certificate be revoked?
Digital certificates are vital for identity-first security. Lifecycle management, including certificate revocation, is crucial. Certificate revocation prevents security vulnerabilities and breaches.
Digital certificates are the driving force behind today's identity-first security strategies, and given the increased reliance on these certificates (and their increased volume) there is no denying the importance of strategic lifecycle management. Often, however, the individuals or entities that require certificates focus on the early stages of that lifecycle: discovery, issuance, and, eventually, renewals. Yes, these processes are crucial, but sometimes they need to be accompanied by another, often less-understood step: certificate revocation.
Certificate revocation invalidates a certificate before it expires. This is an essential component of the certificate management lifecycle to understand as it helps prevent security vulnerabilities and breaches that could be caused by a compromised private key, a wrongfully issued certificate, and more.
In this article, we’ll go over what the purpose of this lifecycle stage is, when it’s needed, what it entails, and more.
What is the purpose of certificate revocation?
Certificate revocation acts as a safeguard in the event that an SSL/TLS certificate is compromised. When signs of trouble are detected, digital certificates should be revoked to prevent unauthorized users from impersonating entities or otherwise allowing bad actors to exploit compromised certificates.
At the individual level, this ensures that each certificate is capable of carrying out its primary function: establishing secure connections and ultimately, greater peace of mind. Revocation capabilities are also important on a larger scale, as they play into broader risk management efforts and can help improve trust among web servers, browsers, and other parties.
When to revoke an SSL certificate
Certificate revocations are very common, and it’s not unusual for certificate holders to take this step at some point. Here are the main reasons an SSL certificate is revoked:
Key compromise. One of the main issues sparking revocation: signs that the private keys for the certificate have been stolen or otherwise compromised. These may be compromised due to poor key management, weak encryption, or a whole host of other issues — but when this occurs, prompt certificate revocation is essential.
Wrongfully issued. Digital certificates are designed to verify the certificate holder's identity. If that identity is not properly verified by the Certificate Authority (CA), it is possible that the entity that obtains the certificate could be fraudulent. In some situations, threat actors have managed to secure certificates via phishing and other malicious activities. While working with a highly respected CA can limit the potential for such issues, it is also important to have revocation options available so that, in the worst-case scenario, wrongfully issued certificates can be promptly revoked.
Changes in domain ownership. Certificate revocation is not always strictly reactionary in nature. This may also occur in response to domain ownership changes, with the goal of preventing potential misuse by a new domain owner. In this situation, revocation is also warranted due to the possible lack of trust that could arise if the certificate's authenticity is brought into question.
Cyberattacks. In the event of a malware or other cyberattack, prompt revocation is essential. Otherwise, compromised certificates could be involved in the further spread of malware.
What is a Certificate Revocation List (CRL)?
A Certificate Revocation List (CRL) is a record of digital certificates that have been revoked. This list is created and signed by a Certificate Authority, and it provides a simple way of indicating which certificates are no longer valid and should not be trusted.
CRL entries may include the certificate serial numbers, along with details about the revocation date and the issuing CA. These are then sent to various distribution sites to ensure they are accessible so that the parties that rely on them can easily download and cache these resources. These CRLs should be updated on a regular basis to ensure that details about revoked certificates are accurate.
What is Online Certificate Status Protocol (OCSP)?
Online Certificate Status Protocol (OCSP) allows for real-time certificate status checks as web browsers and other entities can send a request to an OCSP server for information on the revocation status of a certificate. This helps fill in the gaps from the CRL, as that list is updated periodically versus in real-time.
The OCSP process begins with the client making a request to an OCSP responder, which may be operated directly by the CA in question. Upon receiving this OCSP request, the responder promptly checks the status of the certificate in question. The ensuing response should immediately reveal whether the certificate remains valid or has been revoked. The client can then take action according to this response or continue on to check the CRL and secure additional details.
How browsers handle revoked certificates
When web browsers encounter an SSL/TLS certificate, they complete multiple checks to confirm its validity. This includes verifying the digital signature on the certificate, confirming the certificate is within its validity period, and then completing a certificate revocation status check.
To complete this check, browsers utilize the CRL or OCSP. If these solutions indicate that the certificate has not been revoked, it is possible to proceed with the connection. If, however, they indicate revocation, a warning will be displayed to help safeguard potentially at-risk users. In some situations, these connections may be barred altogether. If users are able to proceed, they could face significant security risks.
Reissuing an SSL after revocation
Revocation represents just one development in a vast certificate lifecycle that also includes several other steps: issuance, usage and monitoring, expiration and renewal. When revocation proves necessary, a plan must be in place to ensure that there is still strong coverage from valid digital certificates. This typically is handled through reissuance, in which a request is submitted to the CA and the identity of the person or entity seeking the new certificate is verified.
During this process, further status checks may be needed to ensure that compromised certificates have been properly revoked. Furthermore, the CA may conduct a comprehensive review to determine the circumstances surrounding the previous revocation. This is important for promoting legitimate reissuance requests. As with 'typical' renewal processes, validation is crucial, encompassing reviews of domain ownership and other details. The new certificate can then be issued, installed, and configured with confidence.
Practical takeaways
Certificate revocation plays a critical role in promoting digital security. This is just one component of the complex series of digital certificate solutions offered by Sectigo Certificate Manager (SCM).
The goal: to streamline all aspects of certificate lifecycle management to drive greater efficiency and security. We also offer highly trusted SSL/TLS certificates, which are critical for authenticating identities and for creating secure connections.
Explore these opportunities or start a free trial of SCM to discover the power of automated certificate lifecycle management.