How is a certificate revoked before its expiry, and how do clients learn about revocations?
A revocation marks a certificate as invalid before its expiry date — usually because the private key was compromised, the subject left the org, or details changed. Clients check via CRL (Certificate Revocation List) downloads or OCSP (Online Certificate Status Protocol) live queries.
Reasons for revocation:
- Private key was compromised / stolen.
- Certificate holder left the organisation.
- Information in the certificate changed (rename, role change).
- CA itself was compromised (revoke everything they issued — disaster).
The two distribution mechanisms:
| CRL | OCSP | |
|---|---|---|
| What it is | Big list of revoked serial numbers, signed by CA | Per-cert live query: "is this still valid?" |
| Update freshness | Periodic (hours to days) | Real-time |
| Client cost | Download list once, cache | One query per cert validation |
| Privacy | Good — local lookup | Bad — CA learns every site you visit (mitigated by OCSP stapling) |
| Protocol | HTTP download | HTTP(S) query |
OCSP stapling (RFC 6066) — the server pre-fetches the OCSP response and "staples" it to the TLS handshake, so the client doesn't have to query the CA itself. Solves the privacy problem and reduces handshake latency. Modern servers should have it enabled.
The revocation problem in practice: browsers historically did poor revocation checking ("soft-fail"). If the CRL or OCSP server is unreachable, most browsers just accept the certificate anyway — which means an attacker who blocks revocation traffic can effectively bypass the system. Modern fixes include must-staple certificate extension, CRLSets (Chrome's curated revocation list), and short certificate lifetimes (Let's Encrypt = 90 days), making revocation almost unnecessary.
Tip: Why must a revocation request itself be carefully verified? Because if anyone could revoke a competitor's cert, you'd have a DoS attack on demand. Revocation requests must prove ownership (proof-of-possession of the private key, or identity check at the RA).