Certificate revocation is the process of invalidating an SSL certificate before its expiration date — usually because the private key was compromised, the certificate was mis-issued, or the domain ownership changed.
In theory, revocation is how the CA system handles emergencies. In practice, it’s the weakest part of the PKI infrastructure. Here’s why, and what’s replacing it.
When to revoke a certificate
- Private key compromised — leaked, stolen, or exposed (e.g., committed to a public Git repo)
- Certificate mis-issued — CA issued a cert for a domain you don’t control
- Domain sold — you no longer own the domain the certificate covers
- Key change — you’re rotating keys and want to invalidate the old certificate
- Server decommissioned — the certificate should no longer be valid
How revocation works
CRL (Certificate Revocation List)
The original revocation mechanism. The CA publishes a list of all revoked certificate serial numbers. Browsers download the list and check against it.
Problems:
- CRLs grow large over time (millions of entries)
- Browsers must download the entire list before verifying any certificate
- Slow and bandwidth-intensive — most browsers stopped checking CRLs years ago
OCSP (Online Certificate Status Protocol)
A real-time check. Instead of downloading a list, the browser asks the CA’s OCSP server: “Is this certificate revoked?”
How it works:
Browser → OCSP Responder: "Is cert serial #12345 still valid?"
OCSP Responder → Browser: "Good" / "Revoked" / "Unknown"Problems:
- Privacy — the CA knows which sites you’re visiting (they see every OCSP request)
- Latency — adds a network round trip to every new HTTPS connection
- Availability — if the OCSP responder is down, browsers typically soft-fail (accept the certificate anyway), making revocation ineffective
OCSP Stapling (the improvement)
The server fetches the OCSP response periodically and “staples” it to the TLS handshake. The browser gets the revocation status without contacting the CA.
Benefits:
- No privacy leak (browser doesn’t contact the CA)
- No extra latency (response is bundled with the handshake)
- Works even if the CA’s OCSP server is slow or down
Configuration:
Nginx:
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;Apache:
SSLUseStapling on
SSLStaplingCache "shmcb:/var/run/apache2/ssl_stapling(128000)"CRLite (the future)
Mozilla’s CRLite compresses all known revocations into a compact filter (~1.5 MB) that ships with Firefox updates. The browser can check revocation status locally — no network request, no privacy leak, no latency. As of 2026, CRLite is enabled in Firefox and may be adopted by other browsers.
The hard truth about revocation
Revocation is mostly broken in practice:
- Chrome doesn’t check OCSP or CRL by default (relies on its own CRLSets — a curated subset)
- Safari checks OCSP but soft-fails (accepts certificates if the OCSP server is unreachable)
- Firefox uses CRLite (the best approach, but Firefox-only)
- OCSP soft-fail means a determined attacker can block the OCSP check and the browser will accept a revoked certificate
This is why the industry is moving toward short-lived certificates as the primary defense:
| Approach | How it protects |
|---|---|
| Revocation (OCSP/CRL) | Invalidate a compromised cert — but checking is unreliable |
| Short validity (90 days → 47 days) | Compromised cert expires quickly — no check needed |
If a certificate is valid for only 47 days, a stolen key is useful for at most 47 days. This limits damage even when revocation doesn’t work.
How to revoke a Let’s Encrypt certificate
If your private key is compromised:
# With Certbot
sudo certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.com/cert.pem --reason keycompromise
# With acme.sh
acme.sh --revoke -d yourdomain.comAfter revoking, get a new certificate immediately — revocation doesn’t fix the problem, it just invalidates the old certificate. Use GetHTTPS to issue a fresh certificate with a new key pair.
Frequently asked questions
Should I enable OCSP stapling?
Yes. It doesn’t guarantee revocation checking (browsers may ignore it), but it’s a net positive: faster TLS handshake (no client-side OCSP lookup), better privacy (browser doesn’t contact the CA), and some browsers do honor stapled OCSP responses. It’s free to enable — Nginx and Apache support it with 2-3 lines of config.
How quickly does revocation take effect?
CRLs are published periodically (hours to days). OCSP responses are cached (typically 1-4 hours). In practice, a revoked certificate may remain “valid” to some browsers for up to 24 hours. This is another reason short-lived certificates are replacing revocation as the primary defense.
Do I need to revoke when I renew?
No. Getting a new certificate doesn’t require revoking the old one. The old certificate simply expires. Revocation is only needed if the private key is compromised — not for routine renewal.
Can I check if a certificate has been revoked?
# Check OCSP status
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -status 2>/dev/null | grep "OCSP Response Status"
# "successful" = OCSP stapling is working
# If empty, stapling is not enabledOr check crt.sh — revoked certificates are marked in the interface.