Back to Interactive Demo
TroubleshootingSecurity

Certificate Revocation Deep Dive

Learn when and why to revoke certificates, how browsers check revocation status, and what to do when something goes wrong.

15 min readDecember 2025Security Guide
Certificate revocation deep dive covering CRL, OCSP, and browser behavior

Why Revoke a Certificate?

Certificate revocation is the process of invalidating a certificate before its natural expiration date. You need to revoke when something makes the certificate untrustworthy.

The Core Principle

If someone other than the authorized owner could potentially use a certificate to impersonate your service, that certificate must be revoked immediately.

Common Revocation Triggers

  • CRITICAL:Private key exposed (committed to GitHub, server breach, stolen backup)
  • HIGH:CA compromise (DigiNotar, Comodo-style incidents)
  • MEDIUM:Organization info changed (rebranding, M&A, domain sold)
  • LOW:Certificate superseded (algorithm upgrade, adding SANs)
  • OPERATIONAL:Service decommissioned (domain not renewed, product discontinued)

RFC 5280 Revocation Reasons

When you revoke a certificate, you specify a reason code defined in RFC 5280. This helps clients understand why the certificate was invalidated.

CodeReasonUrgencyDescription
1keyCompromise24 hoursPrivate key exposed
2cACompromiseImmediateCA was compromised
3affiliationChanged5 daysSubject info no longer accurate
4superseded5 daysReplaced with new certificate
5cessationOfOperationBefore shutdownService being decommissioned
6certificateHoldVariesTemporary hold (can be removed)
0unspecified5 daysNo specific reason given

CA/Browser Forum Requirements

For key compromise, CAs must revoke within 24 hours of confirmed compromise. Other reasons have a 5-day window. These timelines are enforced by browser root programs.

Revocation Timeline

Revocation Timeline

From compromise to client protection

T+0
Compromise

Key exposed or breach detected

T+1hr
Report

Contact CA with revocation request

T+24hr
Revoked

CA adds to revocation list

T+48hr
CRL Updated

Distribution points receive update

T+7days
Protected

All client caches expired

Danger Window

Between compromise and client enforcement, attackers can still use the certificate. This can be hours to days depending on CRL validity and caching.

Understanding the timeline from compromise to client protection is critical for incident response planning.

T+0
Compromise Occurs

Private key exposed, breach detected, or incident discovered

T+1hr
Contact CA

Submit revocation request to Certificate Authority

T+24hr
Certificate Revoked

CA adds certificate serial to revocation list

T+48hr
CRL Updated

CRL distribution points receive updated list

T+7days
Clients Protected

Cached CRLs expire, all clients have current status

DANGER WINDOW

Between compromise and client enforcement, attackers can still use the compromised certificate. This window can be hours to days depending on CRL validity periods and client caching.

How Clients Check Revocation

Revocation Checking Methods

How clients verify certificate status

CRL

Download entire list of revoked certs

Pros:
Works offline once cached
Simple to implement
Cons:
Large downloads (MBs)
Stale data between updates
OCSP

Real-time query for specific cert status

Pros:
Real-time status
Small request/response
Cons:
CA sees every site you visit
Adds latency
OCSP Stapling
Recommended

Server provides proof in TLS handshake

Pros:
No CA query from client
Faster - no extra round trip
Cons:
Requires server support
Must-staple can cause issues
Modern browsers use a combination of CRLSets/CRLite + OCSP for critical certs

1. CRL (Certificate Revocation List)

Client downloads the entire list of revoked certificates from CA's CRL server, then checks if the certificate's serial number appears in the list.

Pros:
  • • Works offline once cached
  • • Simple to implement
Cons:
  • • Large downloads (can be MBs)
  • • Stale data between updates
  • • Privacy: CRL URL in certificate

2. OCSP (Online Certificate Status Protocol)

Client queries CA's OCSP responder in real-time for the status of a specific certificate.

Pros:
  • • Real-time status
  • • Small request/response
Cons:
  • • Privacy: CA sees every site you visit
  • • Adds latency to every connection
  • • Soft-fail if responder unavailable

3. OCSP Stapling (Recommended)

Server fetches OCSP response and "staples" it to the TLS handshake. Client gets proof without contacting the CA.

Pros:
  • • No CA query from client (privacy)
  • • Faster - no extra round trip
  • • Server caches response
Note:

Must be enabled in server config. Use OCSP Must-Staple for hard-fail enforcement.

Before and after comparison showing how OCSP Must-Staple prevents soft-fail attacks

4. CRLSets / CRLite

Browser vendors maintain curated lists of revoked certificates, pushed via browser updates.

  • Chrome: CRLSets (~50K high-priority certs)
  • Firefox: CRLite (comprehensive, bloom filter-based)
  • Advantage: Hard-fail, fast, private
  • Limitation: Limited coverage (CRLSets) or delayed updates

The Soft-Fail Problem

Comparison showing hard-fail blocking connections versus soft-fail allowing them when OCSP unreachable

This is the dirty secret of certificate revocation: most browsers don't actually block connections when revocation checks fail.

Hard-Fail (Ideal)

Can't verify revocation? Block the connection.

More secure, but can cause outages if OCSP responder is slow or down.

Soft-Fail (Reality)

Can't verify revocation? Allow anyway.

Better UX, but attackers can block OCSP to use revoked certs.

Attack Scenario

  1. 1. Attacker steals your private key
  2. 2. You discover the breach and revoke the certificate
  3. 3. Attacker intercepts victim's connection (MITM)
  4. 4. Attacker blocks victim's OCSP request
  5. 5. Browser soft-fails → allows connection with revoked cert
  6. 6. Attack succeeds despite revocation!

This is exactly why Chrome stopped doing real-time OCSP/CRL checks.

Browser Revocation Behavior

Browser Revocation Behavior

How major browsers check certificate status

🌐
Chrome(CRLSets)
Primary MethodCurated list pushed to browser
Soft-Fail PolicyNo OCSP queries
EV CertificatesOCSP for EV certs
NotesOnly high-impact revocations included
🦊
Firefox(CRLite + OCSP)
Primary MethodCompressed CRL database
Soft-Fail PolicySoft-fail on OCSP timeout
EV CertificatesOCSP for EV certs
NotesCRLite covers all Web PKI certs
🧭
Safari(OCSP)
Primary MethodReal-time OCSP checks
Soft-Fail PolicySoft-fail on timeout
EV CertificatesHard-fail for EV
NotesPrivacy concern: CA sees browsing
Soft-Fail Problem

If OCSP responder is down, most browsers allow the connection anyway. Attackers can block OCSP to bypass revocation.

OCSP Must-Staple

Certificate extension that forces hard-fail if no stapled response. Better security but can cause outages if misconfigured.

BrowserCRLOCSPStaplingSpecial
ChromeCRLSets (curated)
FirefoxCRLite (comprehensive)
Safari-
EdgeCRLSets (Chromium)

Why Chrome Abandoned Real-Time Checks

  • • Soft-fail makes it "security theater" - attackers can bypass
  • • Adds latency to every HTTPS connection
  • • Privacy concern: CA sees every site you visit
  • • CRLSets provide hard-fail for high-priority revocations

Incident Response Workflow

When you need to revoke a certificate, follow this structured approach to minimize exposure time.

Phase 1: ASSESS (0-2 hours)

  • • Confirm the compromise is real (not a false alarm)
  • • Identify ALL affected certificates
  • • Determine scope: one cert or many?
  • • Alert incident response team

Phase 2: CONTAIN (2-8 hours)

  • • Generate NEW key pairs (never reuse compromised keys!)
  • • Request new certificates from CA
  • • Prepare deployment plan for new certs
  • • Stage new certs but don't deploy yet

Phase 3: REPLACE (8-24 hours)

  • • Deploy new certificates to all endpoints
  • • Verify new certs are working correctly
  • • Update any certificate pinning configurations
  • • Securely delete old private keys from all systems

Phase 4: REVOKE (After new certs deployed)

  • • Submit revocation request to CA
  • • Specify correct revocation reason code
  • • Verify revocation appears in CRL/OCSP
  • • Document for compliance/audit trail

Phase 5: REVIEW (48-72 hours post)

  • • Conduct root cause analysis
  • • Update security controls to prevent recurrence
  • • Review certificate management practices
  • • Update incident response procedures
CRITICAL

Always deploy the new certificate BEFORE revoking the old one.Revoking first causes a service outage until the new cert is deployed.

When Revocation Fails

Four scenarios where certificate revocation fails to protect users

Even after you revoke a certificate, several factors can prevent clients from blocking it.

Cached CRL Not Updated

Client has old CRL cached and won't check for updates until it expires.

Impact: Revoked cert appears valid
Fix: Use OCSP Stapling for real-time status

Soft-Fail on OCSP Timeout

OCSP responder is slow or unavailable, browser allows connection anyway.

Impact: Attacker can block OCSP and use revoked cert
Fix: Enable OCSP Must-Staple extension

Not in CRLSets

Chrome only includes "important" revocations in CRLSets (~50K certs).

Impact: Your revoked cert may not be blocked in Chrome
Fix: Request CA submit to CRLSets for high-impact certs

OCSP Stapling Not Configured

Server doesn't provide OCSP staple, client must query CA directly.

Impact: Slower connections, privacy leak, soft-fail risk
Fix: Enable OCSP stapling in server config

Best Practices

Enable OCSP Stapling

Faster, more private, and more reliable than client-side OCSP

Consider OCSP Must-Staple

Forces hard-fail if staple missing (more secure but riskier)

Have an Incident Response Plan

Know who to call and what to do before a breach happens

Use Short-Lived Certificates

90-day or shorter certs reduce revocation window impact

Protect Private Keys

Use HSMs, limit access, never commit to repos

Test Revocation Regularly

Verify your OCSP stapling works and CRL URLs are accessible

Useful Commands

Check OCSP Status

# Get OCSP URL from certificate
openssl x509 -in cert.pem -noout -ocsp_uri

# Check OCSP status
openssl ocsp -issuer chain.pem -cert cert.pem \
  -url http://ocsp.example.com -text

Download and Check CRL

# Get CRL URL from certificate
openssl x509 -in cert.pem -noout -text | grep -A1 "CRL Distribution"

# Download CRL
curl -o crl.der http://crl.example.com/crl.der

# Convert and view CRL
openssl crl -in crl.der -inform DER -text -noout

Test OCSP Stapling

# Check if server provides OCSP staple
openssl s_client -connect example.com:443 -status 2>/dev/null | \
  grep -A 20 "OCSP Response Data"

Enable OCSP Stapling (Nginx)

# nginx.conf
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Enable OCSP Stapling (Apache)

# Apache config
SSLUseStapling On
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLStaplingResponseMaxAge 900

Explore More PKI Topics

Learn about CRL vs OCSP mechanics, failure scenarios, and certificate lifecycle management.

CRL vs OCSP DemoFailure ScenariosCertificate Lifecycle

Related Resources

Certificate Revocation Guide

Introduction to CRL, OCSP, and OCSP Stapling

Certificate Transparency

CT logs for detecting mis-issued and revoked certificates

Certificate Lifecycle

Complete journey including revocation phase

Certificate Anatomy

CRL Distribution Points and OCSP extensions in certificates

OpenSSL s_client

Test OCSP stapling and check revocation status

Certificate Revocation Requirements

CA/Browser Forum 24-hour and 5-day revocation rules