SSL Basics

What is a revoked SSL certificate?

Posted on by SSLGuides

A revoked SSL certificate is an SSL/TLS certificate that a Certificate Authority (CA) has invalidated before its expiration date, meaning it should no longer be trusted for secure connections.

Even if the certificate is not yet expired, browsers and clients should treat it as untrusted once it is revoked.

Why a Certificate Might Be Revoked

Certificates are revoked for several reasons:

  1. Compromised private key
    • If the server’s private key is stolen or exposed, the certificate is no longer secure.
  2. Misissued certificate
    • If the CA accidentally issued a certificate to the wrong entity or domain.
  3. Change of ownership or domain
    • The domain ownership changes, making the certificate no longer valid for the new owner.
  4. Certificate no longer needed
    • The site owner decides to stop using it and requests revocation.
  5. Policy violations
    • If the certificate violates CA/B Forum rules or is used maliciously.

How Revoked Certificates Are Handled

Browsers and clients check for revocation using two main methods:

  1. Certificate Revocation List (CRL)
    • A list published by the CA containing all revoked certificates.
    • Browsers can check this list to see if a certificate is revoked.
  2. Online Certificate Status Protocol (OCSP)
    • The browser queries the CA’s OCSP server in real-time to check if the certificate is still valid.

If a certificate is revoked, the browser typically shows a security warning such as:

  • “Your connection is not private”
  • “The certificate has been revoked”

How to Check if a Certificate Is Revoked

1. Online Tools

  • SSL Labs SSL Test – Shows if a certificate is revoked via OCSP.
  • Geekflare SSL Test – Checks OCSP/CRL status.

2. Command-Line (OpenSSL)

openssl ocsp -issuer issuer.pem -cert server.pem -url http://ocsp.server.url
  • Sends a query to the CA’s OCSP responder.

Impact of a Revoked Certificate

  • Visitors may see security warnings or may be blocked from accessing the site.
  • All sensitive data transmitted over HTTPS may be considered insecure if the revoked certificate is used.
  • Revoked certificates must be replaced immediately with a new, valid certificate.

Key Points

  • Revoked ≠ expired.
  • Revocation is a proactive measure to prevent compromised or misused certificates from being trusted.
  • Automation (OCSP stapling) helps browsers check revocation efficiently.

Leave a Reply

Your email address will not be published. Required fields are marked *