Certificate Revocation¶
Overview¶
Certificate revocation is the process of invalidating a certificate before its natural expiry date. When a certificate is revoked, it is published in a Certificate Revocation List (CRL), which relying parties can check to determine whether a certificate should still be trusted.
The Certificate Revocation page in the LAAVAT Platform GUI provides tools to revoke and unrevoke certificates, specifying standardized reasons for each action. Revocation is a critical security operation used when a certificate's private key has been compromised, when the certificate holder's authorization has changed, or when the certificate was issued in error.
Revocation is a significant security action
Revoking a certificate immediately marks it as untrusted in the next published CRL. Any systems or devices relying on the certificate will reject it once the updated CRL is distributed. Ensure you understand the impact before proceeding.
Actions¶
The LAAVAT Platform supports two revocation-related actions:
Revoke¶
The Revoke action marks a certificate as revoked. Once revoked, the certificate's serial number and revocation reason are added to the CRL.
To revoke a certificate:
- Navigate to Revocation > Certificate Revocation.
- Identify the certificate to revoke (by serial number, subject, or other identifying information).
- Select a revocation reason from the available options (see Reasons below).
- Optionally add a note or comment describing the circumstances.
- Click Revoke to confirm the action.
Revocation timing
Revocation takes effect when the next CRL is published. Depending on your CRL publication schedule, there may be a delay between the revocation action and relying parties becoming aware of the revocation.
Unrevoke¶
The Unrevoke action removes the revocation status from a certificate, restoring it to good standing. This action is only available for certificates that were revoked with the Certificate Hold reason.
To unrevoke a certificate:
- Navigate to Revocation > Certificate Revocation.
- Locate the certificate that is currently on hold.
- Click Unrevoke to remove the hold status.
- The certificate will be removed from the CRL in the next publication cycle.
Unrevoke limitations
Unrevoking is only possible when the original revocation reason was Certificate Hold. Certificates revoked for any other reason cannot be unrevoked. This is by design, as per RFC 5280 -- once a certificate is permanently revoked, the decision is irreversible.
| Action | Effect | Reversible |
|---|---|---|
| Revoke | Adds the certificate to the CRL with the specified reason | Only if the reason is Certificate Hold |
| Unrevoke | Removes the certificate from the CRL | N/A (restores certificate to good standing) |
Reasons¶
Revocation reasons follow the standard defined in RFC 5280, Section 5.3.1. When revoking a certificate, you must select one of the following reasons:
| Reason | Code | Description | Supports Unrevoke |
|---|---|---|---|
| Unspecified | 1 | No specific reason is provided. Use when none of the other reasons apply. | No |
| Key Compromise | 2 | The certificate's private key has been compromised or is suspected of being compromised. | No |
| CA Compromise | 3 | The issuing CA's private key has been compromised. This is a severe event that typically requires revoking all certificates issued by the CA. | No |
| Affiliation Changed | 4 | The certificate holder's organizational affiliation has changed, making the certificate's subject information inaccurate. | No |
| Superseded | 5 | The certificate has been replaced by a new certificate. The original is no longer needed. | No |
| Cessation of Operation | 6 | The certificate holder has ceased operations or the service the certificate was issued for has been decommissioned. | No |
| Certificate Hold | 7 | The certificate is temporarily suspended. This is the only reason that allows the certificate to be unrevoked later. | Yes |
| Remove from CRL | 9 | Used when a certificate is removed from hold status (unrevoked). | N/A |
| Privilege Withdrawn | 10 | The certificate holder's privileges have been withdrawn. | No |
| AA Compromise | 11 | The Attribute Authority (AA) has been compromised. | No |
Choosing the Right Reason¶
Best practice for reason selection
Always select the most specific and accurate reason for revocation. This information is embedded in the CRL and may be used by auditors, compliance teams, and automated systems to assess the nature and severity of the revocation event.
- Use
Key Compromisewhen you have evidence or strong suspicion that the private key has been exposed. This signals the highest urgency to relying parties. - Use
CA Compromiseonly when the issuing CA itself has been compromised. This is an extraordinary event that may trigger a full key ceremony and re-issuance. - Use
Supersededfor routine certificate rotation where the old certificate should no longer be used. - Use
Certificate Holdwhen you need to temporarily suspend a certificate and may want to restore it later. This is useful for investigation periods where compromise is suspected but not confirmed. - Use
Cessation of Operationwhen a device or service is permanently decommissioned. - Use
Affiliation Changedwhen organizational changes make the certificate's subject DN inaccurate. - Use
Unspecifiedonly as a last resort when no other reason fits.
CRL Publication¶
After a revocation or unrevocation action, the changes are reflected in the next Certificate Revocation List publication. The CRL is a signed document issued by the CA that lists all revoked certificates.
CRL Contents¶
Each entry in the CRL contains:
| Field | Description |
|---|---|
| Serial Number | The serial number of the revoked certificate. |
| Revocation Date | The date and time the certificate was revoked. |
| Reason Code | The RFC 5280 reason code for the revocation. |
CRL Distribution¶
Relying parties obtain the CRL through the CRL Distribution Point (CDP) URL embedded in the certificates. The LAAVAT Platform automatically manages CRL generation and distribution.
CRL freshness
Relying parties cache CRLs based on the nextUpdate field. If you need immediate revocation propagation, consider your CRL publication interval and whether it meets your security requirements.
Troubleshooting¶
| Issue | Possible Cause | Resolution |
|---|---|---|
| Cannot unrevoke a certificate | The certificate was revoked with a reason other than Certificate Hold | This is by design; only Certificate Hold allows unrevocation. The certificate must remain revoked. |
| Revocation does not appear in the CRL | The CRL has not been republished since the revocation | Wait for the next CRL publication cycle or trigger a manual CRL update if supported |
| Relying parties still accept a revoked certificate | The relying party is using a cached CRL that predates the revocation | The relying party will pick up the revocation after the cached CRL expires and a fresh one is fetched |
| Certificate serial number not found | The certificate may belong to a different CA or product | Verify the CA and product context before searching for the certificate |