There are many different views on when and why to revoke a certificate. Some of the reasons are very obvious and relatively widely agreed upon, such as, compromise of a private key. If a private key is compromised the associated certificate must be revoked as quickly as possible. This is widely agreed upon.
There are times however when revocation of a certificate is not agreed upon. It is important to note that revocation, without sufficient reason, can create larger problems. Every revocation places an additional certificate number on a revocation list which in turn rolls out through other certificate status checking mechanisms such as OCSP. For this reason unneeded revocation results in additional burden on the network and storage devices.
It is important for this reason that revocation be performed when truly needed. Some cases to strongly consider before revoking include:
- If a private key is being replaced and the key is in possession of the key holder then it is unlikely it should be revoked when replaced.
- If a private key is near expiry and the key is in the possession of the key holder then it is VERY unlikely it should be revoked.