Revoked SSL Certificate
Description
A revoked SSL/TLS certificate is one that has been invalidated by the Certificate Authority (CA) before its scheduled expiration date, typically due to compromise, misuse, or administrative reasons. When a server continues to use a revoked certificate, browsers and security tools will flag the connection as untrusted, as the certificate's validity can no longer be verified through Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP). This creates a critical trust issue that exposes both the website operator and end users to security risks.
Remediation
Immediately replace the revoked SSL/TLS certificate by following these steps:
- Obtain a New Certificate: Contact your Certificate Authority (CA) or hosting provider to request a new certificate. If the revocation was due to private key compromise, generate a new Certificate Signing Request (CSR) with a fresh private key
- Install the New Certificate: Deploy the new certificate to your web server, ensuring all certificate chain files (intermediate certificates) are properly configured
- Verify Installation: Use SSL testing tools (such as SSL Labs' SSL Server Test) to confirm the new certificate is properly installed and the revocation issue is resolved
- Update Certificate Monitoring: Implement automated certificate monitoring to receive alerts before expiration and to detect revocation events
- Review Revocation Cause: Investigate why the certificate was revoked to prevent recurrence. If due to compromise, conduct a security audit and rotate all potentially affected credentials
For automated certificate management, consider implementing ACME protocol-based solutions like Let's Encrypt with automatic renewal to prevent future certificate issues.