Questions tagged [certificate-revocation]

Certificate Revocation is a process for reporting that a certificate should no longer be trusted to the cert's issuing CA. The CA then places the cert on its CRL, and responds "REVOKED" to any OCSP requests for that cert. Normally only the owner of the cert (holder of the private key) can revoke a cert, though in special circumstances a CA can revoke a cert directly.

Certificate Revocation is a process for reporting that a certificate should no longer be trusted to the cert's issuing CA. The CA then places the cert on its certificate revocation list (CRL), and responds REVOKED to any OCSP requests for that cert.

Normally only the owner of the cert (holder of the private key) can revoke a cert, though in special circumstances a CA can revoke a cert directly.

177 questions
92
votes
4 answers

Should I revoke no longer used Let's Encrypt certificates before destroying them?

The Let's Encrypt documentation recommends that when a certificate’s corresponding private key is no longer safe, you should revoke the certificate. But should you do the same if there are no indications that the key is compromised, but you no…
26
votes
5 answers

Who is responsible for revoking a certificate?

The CA issues certificates to clients/servers. Whenever a request is made by the client/server, the certificate is used to verify the identity. Now, if a certificate needs to be revoked then who does it and how? Does the client/server "mark" it as…
25
votes
3 answers

Is publishing CRLs over HTTP a potential vulnerability?

I noticed that at least one major CA (Comodo) publishes their CRL over HTTP rather than HTTPS. This seems to me to be somewhat of a vulnerability, as an attacker could hijack the HTTP connection that seeks to download the CRL and when HSTS is in use…
user
  • 7,670
  • 2
  • 30
  • 54
21
votes
5 answers

Why are certificates limited in time?

If a certificate has a limited duration of, say 5 years, but it gets somehow compromised after 2 years, waiting the 3 remaining years for it to get invalid is not a real solution to the breach problem. (3 years is eternity in IT, I guess) Also, if…
Philipp
  • 353
  • 1
  • 3
  • 6
17
votes
4 answers

Are SSL certs auto-revoked if their Not-Valid-After date is reached without renewing?

I'm learning about X509 certs used in client-cert authentication to https endpoints. If I have an OCSP checker (Python script that creates, submits, decodes OCSP responses), do I need to check the not-valid-after date on a client…
ericOnline
  • 297
  • 2
  • 6
17
votes
2 answers

What does "revoking" a key actually do?

I am currently encrypting some personal information using gpg (gpgdir actually). I have a copy of my private key printed onto a sheet of paper in the form of a data matrix lest I lose the digital copy of my private key. However, in reading up about…
quant
  • 303
  • 2
  • 7
14
votes
4 answers

Why isn't OCSP required by default in browsers?

According to the following screenshot, taken from firefox-3.6.17-1.fc14.i686, Firefox has an option to fail closed when unable to connect to OCSP servers. Can someone please explain why this isn't enabled by default?
14
votes
3 answers

Domain name expiration and TLS

If I purchase a domain name that has expired, do I have any assurance that the previous owner does not have a valid HTTPS certificate for the site? In other words, do CAs check domain name expiration dates when issuing a certificate to ensure the…
12
votes
1 answer

Why isn't there a certificate revocation request standard?

Say I am building a Certificate Authority software and I want to automate certificate revocation as much as possible. I know it will not be possible in some cases, like if the building where the certificate, keys and other support documents were…
12
votes
2 answers

When does iOS check validity of enterprise certificates?

Here is an article that should give a little more context (and see my comment on it, same username, for additional info). iOS developers are able to distribute apps outside of the App Store using an Enterprise provisioning profile. This allows apps…
12
votes
3 answers

Why are Certificate Revocation List periodically renewed?

While studying a security course I have been asked this very question: Why are CRL periodically renewed, even if there are no new revoked certificates to add to the list? Honestly I can't find the answer, if any of you could be so kind to shed…
11
votes
1 answer

Should I use a Certificate Revocation List?

I've been trying to provide security to my API. I will issue certificates to my clients to access my API through a TLS channel. So it'll be a SSL-Client Authentication. I'm wondering, should I use CRL on my server? Why? Note: I'll use my own CA and…
11
votes
1 answer

Do long lived TLS connections pose a security risk?

I would like to better understand the implications of maintaining a long lived (hours, days) TLS connection with respect to certificate revocation. As I understand TLS, the client verifies the server's certificate during the handshake and then never…
jdgilday
  • 211
  • 1
  • 2
11
votes
1 answer

Did D-Link's certificate revocation really only invalidate 1 day (of a six months long exposure)?

I'm trying to wrap my head around the OCSP revocationTime for D-Link's certificate. I recently answered another question and ended up drafting a timeline. That timeline is basically this: Jul 5 00:00:00 2012 GMT. Validity: Not Before Feb 27 …
11
votes
1 answer

Has the leaked D-Link Windows signing key been revoked?

Recently news broke as to D-Link mistakenly publishing a private code-signing key as part of an open source framework: The D-Link key was leaked in late February, and expired on September 3, it appears. That means during that six-month period,…
1
2 3
11 12