Skip to content

About revoking certificates

Certificate revocation empowers administrators with the ability to efficiently manage the lifecycle of certificates issued through a supported certificate authority. Supported CAs are:

  • Microsoft AD CS
  • Venafi Zero Touch PKI

If you're an administrator with either the PKI Administrator or System Administrator roles, you can directly revoke any certificate in the Certificate Inventory that was issued by a supported CA (as long as you have the CA account used to issue the certificate).

Best Practice

In the case of Microsoft AD CS, requests for revocation are typically completed immediately. Requests for revocation from public CAs are not always done so quickly. It's good to make sure you manage important revocation requests as soon as possible.

Understanding Certificate Revocation in TLS Protect Cloud

Certificate revocation is a critical aspect of maintaining the security and trustworthiness of your managed servers and applications. In TLS Protect Cloud, certificate revocation ensures that digital certificates that are no longer trustworthy are invalidated before their natural expiration date. This is particularly important in cases where certificates have been compromised, or the associated key pairs are no longer secure.

What is Certificate Revocation?

Certificate revocation is the process of invalidating a certificate, effectively making it unusable for establishing secure connections. Once a certificate is revoked, it is flagged as untrusted by the CA, and it cannot be used to authenticate or secure communications. Certificates can be revoked for a variety of reasons, such as:

  • Compromised key pairs: If a private key is exposed or suspected of being compromised, the corresponding certificate should be revoked to prevent malicious use.
  • Certificate holder no longer trusted: If the identity of the certificate holder can no longer be trusted, such as in the case of a terminated employee or a decommissioned server, the certificate must be revoked.
  • Expiration of organizational policies: Some certificates may need to be revoked if they no longer comply with updated security policies.

How Certificate Revocation Secures Your Servers

In a server environment managed by TLS Protect Cloud, maintaining up-to-date and valid certificates is essential to secure communication channels. Revoking certificates that are no longer trustworthy protects your system by:

  • Mitigating the risk of compromise. By revoking compromised certificates, you mitigate the risk of man-in-the-middle attacks or unauthorized access to your servers.
  • Ensuring compliance. Keeping your certificates up to date ensures compliance with industry standards and organizational policies.
  • Maintaining trust. Revoked certificates are included in Certificate Revocation Lists (CRLs) or are distributed through the Online Certificate Status Protocol (OCSP), ensuring that clients and applications connecting to your services can verify whether a certificate is still valid.

By integrating certificate revocation into your security strategy, TLS Protect Cloud provides an additional layer of trust and security, allowing you to maintain control over the certificates that secure your infrastructure.

Features and benefits

  • Certificate revocation workflow: When users request a certificate be revoked, the request runs through a certificate revocation workflow. This ensures the revocation is needed, and acts as a protection against revoking certificates that shouldn't be revoked. Learn more
  • Direct revocation request: Administrators can now initiate revocation requests via UI or API. This enables quicker security responses.
  • Detailed revocation reasoning: Allows specifying reasons for revocation, such as Key Compromise or Cessation of Operation, aiding in transparent certificate management.
  • Revocation status insights: A new status column in the Certificate Inventory provides immediate visibility into revocation outcomes, crucial for monitoring certificate integrity.
  • Enhanced security controls: Restricting revocation capabilities to administrators reinforces a secure certificate lifecycle management, ensuring only authorized alterations.

Next steps

To get started with certificate revocation, follow these steps.