2

I'm looking for a bit more details on how the chain of ownership works when it comes to service providers requesting SSL certificates on behalf of another organization. The Who is responsible for revoking a certificate? post is helpful in describing how the process works for revocation and what the owner has to do it just doesn't go into details on how a “on behalf of” certificates are handled.

My Situation

I have a situation where I have a service provider that will be a CDN for a site. They are requesting an SSL cert through their CA to handle the domains and I just have to approve or deny the request. What I'm unclear about is in the situation who has the authority to revoke the cert as I don't actually own the certificate but I do own the domains it's attached to. Can I initiate a revocation of the SSL cert through the CA even when I don't own it?

MarianD
  • 244
  • 1
  • 2
  • 7
Aaron
  • 161
  • 3
  • 1
    I think this depends on the specific CA you're using, but *most* of them only really care about the domain owner's wishes. As long as you can prove you own the domain, you should be able to get certs *for that domain* revoked whenever you want. They might be cautious because you're a different person than the one that got the certs in the first place, but I'd be surprised if that wasn't resolved with e.g. putting up a requested TXT record. I'd post an answer, but there's not enough information in this question for me to confirm my speculation. – Nic Jun 28 '19 at 21:34
  • Thanks @NicHartley. What additional details do you need and I can see if I can provide them? – Aaron Jun 28 '19 at 21:47
  • You'd probably be better equipped to find the answers, actually -- see if you can reach out to the CDN to ask who their CA is. Then, depending on the CA, you can either find their cert revocation policy online, or possibly call them to ask. e.g. [Let's Encrypt publishes theirs](https://letsencrypt.org/docs/revoking/), [so does Symantec](https://knowledge.digicert.com/solution/SO982.html), and so on. – Nic Jun 28 '19 at 21:55
  • 1
    Will do. I'll follow up with the CA as I know who they are. Thanks – Aaron Jun 28 '19 at 22:00

2 Answers2

1

Your CDN or you could initiate the revocation. The CDN can request the revocation most likely through the account they have with the CA and from being the "owner" of that specific order.

You can request a revocation still, even though you are not the owner or purchaser of that specific certificate. The CA will request you to prove you are the owner of that domain. If you can prove to the CA that youre the owner of the domain, they will revoke the certificate.

You ultimately are the party granting or denying the use of a certificate for your domain. You can authorize another party to buy certificates on your behalf. And you can revoke that authorization at any time as well.

Each CA has a their own revocation policies and its worth checking out those documents. But the CA/B forum which sets rules and standards for CA's, does state who is allowed to request a revocation. See section 4.9 of the Baseline requirements.

4.9.2. Who Can Request Revocation The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate.

CA's are allowed to process requests from "relying parties" who can provide reasonable evidence that the certificate should be revoked. In the scenario presented in the OP, you would be the relying party and your CDN would be the subscriber.

Relying parties are defined as:

Any natural person or Legal Entity that relies on a Valid Certificate. An Application Software Supplier is not considered a Relying Party when software distributed by such Supplier merely displays information relating to a Certificate.

Rex Linder
  • 141
  • 4
0

No, If you don't control the CA, you can't revoke a certificate signed by that CA.

However, the CA will probably revoke a certificate issued for your domain if you ask.

ztk
  • 2,247
  • 13
  • 22