Info: Certificate Revocation (when and why)


There are many different views on when and why to revoke a certificate. Some of the reasons are very obvious and relatively widely agreed upon, such as, compromise of a private key. If a private key is compromised the associated certificate must be revoked as quickly as possible. This is widely agreed upon.

There are times however when revocation of a certificate is not agreed upon. It is important to note that revocation, without sufficient reason, can create larger problems. Every revocation places an additional certificate number on a revocation list which in turn rolls out through other certificate status checking mechanisms such as OCSP. For this reason unneeded revocation results in additional burden on the network and storage devices.

More Information:

It is important for this reason that revocation be performed when truly needed. Some cases to strongly consider before revoking include:

  • If a private key is being replaced and the key is in possession of the key holder then it is unlikely it should be revoked when replaced.
  • If a private key is near expiry and the key is in the possession of the key holder then it is VERY unlikely it should be revoked.
There are other times when revocation should be strongly discouraged, especially if the private key has been used for purposes such as Digital Signature. 

So when defining operational procedures for revocation consider if the need to revoke outweighs the potential impact on relying party and infrastructure operations.
Was this article helpful?
1 out of 1 found this helpful