Certificate Revocation
The process of invalidating a certificate before its expiration date
Certificate Revocation is the process of invalidating an SSL certificate before its natural expiration date due to various security or administrative reasons. Common reasons for revocation include private key compromise, change in certificate subject information, cessation of operation, or CA compromise. When a certificate is revoked, the CA adds it to the Certificate Revocation List (CRL) and updates OCSP responders to return a 'revoked' status for that certificate.
Browsers and other applications are expected to check revocation status before trusting a certificate, though this doesn't always happen in practice due to performance and reliability concerns. The revocation process typically involves the certificate holder contacting the CA with proper authentication and providing a reason for revocation. Once revoked, a certificate cannot be 'un-revoked' - a new certificate must be issued if continued service is needed.
Certificate revocation is a critical security mechanism, but its effectiveness depends on applications actually checking revocation status. Some high-security environments implement 'hard-fail' policies where certificates with unknown revocation status are rejected, while others use 'soft-fail' approaches that allow connections when revocation checking fails.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces