Loading learning content...
Imagine discovering that your company's private key has been compromised. It's been leaked on a dark web forum. Attackers could now impersonate your servers, intercept customer data, sign malware with your code signing certificate. Your certificate doesn't expire for another two years. What do you do?
The answer is revocation—formally declaring that a certificate is no longer valid, even though it hasn't expired. In theory, this sounds straightforward. In practice, certificate revocation is one of the hardest problems in PKI—a problem that, despite decades of effort, remains imperfectly solved.
The core challenge: certificates are distributed. When a CA revokes a certificate, how do millions of clients learn about it? Clients can't query the CA for every certificate they encounter—that would create massive traffic and a single point of failure. But without checking, clients might trust a revoked certificate, enabling the very attacks revocation was meant to prevent.
This page examines the revocation mechanisms that exist (CRLs, OCSP, Stapling), their tradeoffs, their failures, and the emerging solutions that may finally address PKI's hardest problem.
By the end of this page, you will understand why revocation is hard, how CRLs and OCSP work, the problems with each approach, how OCSP Stapling addresses some issues, what browsers actually do (or don't do) about revocation, and emerging solutions like short-lived certificates.
Certificates have validity periods (typically 90 days to 2 years for TLS certificates). But many events require invalidating a certificate before expiration:
Revocation Reasons (RFC 5280):
| Reason Code | Name | Description |
|---|---|---|
| 0 | unspecified | No specific reason given |
| 1 | keyCompromise | Private key has been compromised or disclosed |
| 2 | caCompromise | Issuing CA's key has been compromised |
| 3 | affiliationChanged | Subject's affiliation has changed (e.g., employee left) |
| 4 | superseded | Certificate replaced with a newer one |
| 5 | cessationOfOperation | Certificate subject no longer operates |
| 6 | certificateHold | Temporary hold (can be removed later) |
| 8 | removeFromCRL | Remove previously held certificate from CRL |
| 9 | privilegeWithdrawn | Subject's privileges have been withdrawn |
| 10 | aaCompromise | Attribute Authority compromised |
Real-World Revocation Scenarios:
Key Compromise: The most critical case. If an attacker obtains your private key, they can:
Examples:
Certificate Mis-issuance: Sometimes CAs issue certificates they shouldn't have:
Organizational Changes:
From the moment a key is compromised until all clients learn of the revocation, a window of vulnerability exists. Attackers can exploit this window. The goal of revocation systems is to minimize this window—but none of them can eliminate it entirely.
The oldest revocation mechanism is the Certificate Revocation List (CRL)—a signed document containing the serial numbers of all revoked certificates issued by a CA.
How CRLs Work:
CRL Structure:
123456789101112131415161718192021222324
CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING} TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- v2 if extensions present signature AlgorithmIdentifier, issuer Name, -- CA that issued this CRL thisUpdate Time, -- When CRL was issued nextUpdate Time OPTIONAL, -- When next CRL expected revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- Revocation reason, etc. } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL} # Example CRL entry:# Serial Number: 04:65:d5:40:6c:e7:78:94:4e:8b# Revocation Date: Jan 15 12:00:00 2024 UTC# Reason: keyCompromise (1)CRL Distribution:
Certificates specify where to find CRLs in the CRL Distribution Points extension:
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.example.com/intermediate.crl
CRL Problems:
Delta CRLs:
To address the size problem, RFC 5280 defines Delta CRLs—CRLs containing only changes since a base CRL:
In practice, Delta CRLs aren't widely used due to complexity and limited client support.
CRL Caching:
CRLs include nextUpdate field indicating when a fresh CRL should be available. Clients can cache CRLs until this time, reducing bandwidth. But this means revocations may not be visible until the cache expires—a significant security gap.
Despite their limitations, CRLs remain available as a fallback. Many enterprise environments still use CRLs for internal PKI. For public web PKI, OCSP has largely replaced CRL checking, but CRL URLs are still included in certificates.
Online Certificate Status Protocol (OCSP), defined in RFC 6960, addresses CRL's scaling problems by providing real-time, per-certificate status queries.
How OCSP Works:
OCSP Request/Response:
123456789101112131415161718192021222324252627282930
# Extract OCSP responder URL from certificateopenssl x509 -in cert.pem -noout -ocsp_uri# Output: http://r3.o.lencr.org # Get the issuer certificate (needed for OCSP)openssl x509 -in cert.pem -noout -issuer# Issuer: CN = R3, O = Let's Encrypt, C = US # Make an OCSP requestopenssl ocsp -issuer intermediate.pem \ -cert server.pem \ -url http://r3.o.lencr.org \ -resp_text -noverify # Response structure:OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = R3 Produced At: Jan 17 10:00:00 2024 UTC Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0... Issuer Key Hash: 142EB317... Serial Number: 0465D5406CE778944E8B... Cert Status: good This Update: Jan 17 10:00:00 2024 UTC Next Update: Jan 24 10:00:00 2024 UTCOCSP Response Status Values:
| Status | Meaning | Client Action |
|---|---|---|
| good | Certificate is not revoked | Accept the certificate |
| revoked | Certificate has been revoked (includes date and reason) | Reject the certificate |
| unknown | Responder doesn't know about this certificate | Typically treat as 'good' or try alternate method |
OCSP Advantages over CRL:
OCSP Problems:
When browsers can't reach the OCSP responder, they typically accept the certificate anyway ('soft-fail'). This means an attacker who controls the network can block OCSP queries and use a revoked certificate. The alternative, 'hard-fail', would break internet access whenever a CA's OCSP server is slow or unreachable—unacceptable for user experience.
OCSP Stapling (technically, the TLS Certificate Status Request extension, RFC 6066) addresses many OCSP problems by having the server provide the OCSP response.
How Stapling Works:
Benefits:
12345678910111213141516171819202122232425262728293031323334353637
# Nginx OCSP stapling configuration server { listen 443 ssl http2; server_name example.com; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; # Enable OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Certificate chain for stapling verification ssl_trusted_certificate /etc/nginx/ssl/chain.pem; # Resolver for OCSP responder lookup resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s;} # Apache OCSP stapling configuration<VirtualHost *:443> SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/key.pem SSLCertificateChainFile /path/to/chain.pem # Enable stapling SSLUseStapling On SSLStaplingCache "shmcb:/var/run/ocsp(128000)" SSLStaplingResponseMaxAge 86400</VirtualHost> # Verify stapling is workingopenssl s_client -connect example.com:443 -status 2>/dev/null | grep -A 3 "OCSP Response"# Should show: OCSP Response Status: successfulOCSP Must-Staple:
To address the soft-fail problem, certificates can include the OCSP Must-Staple extension (RFC 7633). This extension indicates:
This converts soft-fail to hard-fail for servers that opt-in:
X509v3 TLS Feature:
status_request (OCSP Must-Staple)
Must-Staple Tradeoffs:
Enable OCSP stapling on all production servers. It improves connection latency, protects user privacy, and reduces load on CA infrastructure. Monitor stapling status—a server that stops stapling may indicate OCSP fetch issues that should be investigated.
Despite the mechanisms available, what do browsers actually do to check revocation? The answer may surprise you—and depress you if you care about security.
Chrome (Most Used Browser):
CRLSets:
Google's CRLSet is a curated, compressed set of revoked certificates that Chrome considers particularly important (compromised CAs, high-profile incidents). It's:
Firefox:
Safari:
Most revocations are never effectively communicated to most clients. Chrome protects against high-profile incidents via CRLSets but ignores routine revocations. Firefox's soft-fail OCSP provides partial protection. The practical impact: if a certificate is revoked, don't assume clients will notice—especially quickly.
| Browser | OCSP (Live) | Stapled OCSP | Must-Staple | CRL/CRLSet | Soft-Fail |
|---|---|---|---|---|---|
| Chrome | ❌ Off by default | ✅ Validates | ✅ Hard-fail | CRLSets only | N/A (no check) |
| Firefox | ✅ On by default | ✅ Validates | ✅ Hard-fail | OneCRL + CRLite | Yes (soft-fail) |
| Safari | ✅ On by default | ✅ Validates | ✅ Hard-fail | Apple push | Yes (soft-fail) |
| Edge (Chromium) | ❌ Off by default | ✅ Validates | ✅ Hard-fail | CRLSets | N/A (no check) |
Given the limitations of current revocation mechanisms, researchers and practitioners have developed alternative approaches.
Short-Lived Certificates:
The most radical solution: make revocation unnecessary by having certificates that expire quickly.
| Validity | Maximum Exposure | Automation Requirement |
|---|---|---|
| 2 years | Up to 2 years | Manual renewal acceptable |
| 1 year | Up to 1 year | Calendar reminders work |
| 90 days | Up to 90 days | Automation strongly recommended |
| 7 days | Up to 7 days | Automation mandatory |
| 24 hours | Up to 24 hours | Continuous automation required |
CRLite (Mozilla Research):
CRLite compresses the entire global CRL (all revoked certificates from all CAs) into a compact data structure:
Certificate Transparency Log Monitoring:
CT logs provide another avenue for revocation-adjacent functionality:
Expect-CT and CT Enforcement:
While not revocation per se, Certificate Transparency makes mis-issuance detectable:
The industry is moving toward shorter certificate lifespans. Apple and Google have pushed for 1-year (now 398-day) maximum validity. Future proposals may further reduce this. The endpoint of this trend: certificates so short-lived that revocation becomes unnecessary.
When you need to revoke a certificate, here's how to do it properly:
Step 1: Revoke Through Your CA
Each CA has a different revocation process:
123456789101112131415161718192021222324252627
# Let's Encrypt revocation via certbotcertbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem \ --reason keyCompromise # Let's Encrypt revocation using the private key (if you still have it)certbot revoke --cert-path /path/to/cert.pem \ --key-path /path/to/privkey.pem # Let's Encrypt revocation using account credentials# (proves you're the certificate owner)certbot revoke --cert-path /path/to/cert.pem # Commercial CA revocation: typically via web portal# 1. Log into CA's certificate management portal# 2. Find the certificate to revoke# 3. Select revocation reason# 4. Confirm revocation# 5. CA updates CRL and OCSP responder # Enterprise/Internal CA using OpenSSLopenssl ca -config /etc/ssl/openssl.cnf \ -revoke /path/to/cert.pem \ -crl_reason keyCompromise # Regenerate CRL after revocationopenssl ca -config /etc/ssl/openssl.cnf \ -gencrl -out /path/to/crl.pemStep 2: Verify Revocation
Confirm the certificate is actually revoked:
123456789101112131415161718
# Check OCSP statusopenssl ocsp -issuer intermediate.pem \ -cert revoked-cert.pem \ -url http://ocsp.example.com \ -resp_text # Expected output for revoked cert:# Cert Status: revoked# Revocation Time: Jan 17 15:30:00 2024 UTC# Revocation Reason: keyCompromise (1) # Check if cert appears in CRLopenssl crl -in crl.pem -noout -text | grep -A1 "Serial Number" # Verify certificate against CRLopenssl verify -crl_check -CAfile ca-bundle.pem \ -CRLfile crl.pem revoked-cert.pem# Should fail: certificate revokedStep 3: Replace the Certificate
Step 4: Investigate and Remediate
Remember: revocation propagation takes time. CRLs may have nextUpdate hours or days away. OCSP responses may be cached. CRLSets update with browser releases. Even after successful revocation through your CA, some clients may continue trusting the certificate for a period. Plan accordingly for high-security incidents.
Certificate revocation is PKI's hardest problem—and one without a perfect solution. Let's consolidate what we've learned:
What's Next:
We've now explored individual PKI components: certificates, CAs, trust chains, and revocation. The final page brings it all together: PKI Infrastructure—how all these pieces combine into functioning systems, from web PKI to enterprise deployments to specialized environments.
You now understand certificate revocation deeply: CRLs, OCSP, stapling, browser behavior, and emerging solutions. This knowledge is essential for incident response, understanding PKI limitations, and making informed security decisions. Next, we explore the complete PKI infrastructure ecosystem.