Certificate Revocation

The process of invalidating a certificate before its expiration date

Certificate Management

Certificate Revocation is the process of invalidating an SSL certificate before its natural expiration date due to various security or administrative reasons. Common reasons for revocation include private key compromise, change in certificate subject information, cessation of operation, or CA compromise. When a certificate is revoked, the CA adds it to the Certificate Revocation List (CRL) and updates OCSP responders to return a 'revoked' status for that certificate.

Browsers and other applications are expected to check revocation status before trusting a certificate, though this doesn't always happen in practice due to performance and reliability concerns. The revocation process typically involves the certificate holder contacting the CA with proper authentication and providing a reason for revocation. Once revoked, a certificate cannot be 'un-revoked' - a new certificate must be issued if continued service is needed.

Certificate revocation is a critical security mechanism, but its effectiveness depends on applications actually checking revocation status. Some high-security environments implement 'hard-fail' policies where certificates with unknown revocation status are rejected, while others use 'soft-fail' approaches that allow connections when revocation checking fails.

Where You'll See This Term

This term commonly appears in:

  • SSL certificate details pages
  • Certificate Authority validation processes
  • SSL configuration documentation
  • Security audit reports
  • Certificate management interfaces

Related SSL Terms

Need Help with SSL Certificate Management?

Understanding SSL terminology is just the beginning. Chill SSL helps you monitor and manage your SSL certificates to prevent expiration and security issues.