Questions tagged [certificate-revocation]
Certificate Revocation is a process for reporting that a certificate should no longer be trusted to the cert's issuing CA. The CA then places the cert on its CRL, and responds "REVOKED" to any OCSP requests for that cert. Normally only the owner of the cert (holder of the private key) can revoke a cert, though in special circumstances a CA can revoke a cert directly.
190 questions
2
votes
0
answers
212
views
Lists of blocked certificates on various platforms
This webpage by Apple appears to list the certificates that their products automatically treat as untrusted by default. Are there similar resources for other platforms and/or browsers?
On this site, ...
- 121
5
votes
2
answers
1k
views
When to use a CRL distribution point in a root certificate?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let's not consider that for the moment. Let's assume we have a root CA > ...
- 824
2
votes
1
answer
251
views
practical applications and revoked intermediate/issuing CAs
My mind has been blown by my learning the last few days...it seems that browser handling of CA CRLs and OCSP checking has so much variation present. I'm experimenting with my own root CA, with ...
- 121
2
votes
1
answer
312
views
Certificate/key revocation
Systems like Certificate Transparency and Key transparency store trees of keys/certificates. How would a user be able to remove a fraudulent/expired key or certificate? Do the trees stay the same and ...
- 43
1
vote
2
answers
283
views
How is issuing a certificate revocation response different from re-issuing the certificate itself?
I am reading about how certificates work in the context of X.509, SSL/TLS/HTTPS. According to Wikipedia, the client (e.g. a browser) is supposed to check the revocation status for each non-root ...
- 113
1
vote
0
answers
104
views
Is a revocation certificate still valid after updating GPG key's expiration?
When I first generated my GPG key I created a revocation certificate for it as well. Now I've edited my key and its subkeys and updated their expiration. Do I need to generate a new revocation ...
- 78
0
votes
1
answer
2k
views
What is default_crl_days in OpenSSL and recommended days?
I'm new and I'm trying to understand default_crl_days. The default is 30 days thus does it mean after 30 days, the CRL list can no longer be trusted? If so, do we need to generate a new list before 30 ...
- 105
0
votes
1
answer
147
views
Are certificates persistent outside of where it's created?
For example, consider https://www.cloudflare.com/ssl/ where I can get a free SSL cert. If I create a cloudflare account and get an cert but delete my cloudflare account, is the cert auto-revoked? What ...
- 115
27
votes
4
answers
6k
views
What's the point of certificates in SSL/TLS?
A valid certificate cannot guarantee that I'm not being MITM'd right now, as either the private key or CA may have been compromised. For this reason, I have to contact a CA through CRL/OCSP to check ...
- 599
0
votes
1
answer
622
views
openssl ca -revoke causes `Can't open ./demoCA/cacert.pem`
I'm learning for the first time the concept of revoking certificates. I created a certificate with openssl then I tried to revoke it. But my revoke command causes an error.
Here's what I did
# ...
- 317
4
votes
2
answers
398
views
How can I ensure that a CSR doesn't rely on a revoked private key
CRL lists the revoked certificates of a CA by sending back to the user the Serial Number of each certificate, nothing related to the public key. I don't know how it works for OCSP.
Is there a ...
- 671
5
votes
1
answer
2k
views
Do current browsers still validate CRLs in enterprise PKI environments
I know that modern web browsers don't check CRLs for certificates from CAs in the default trust store anymore.
I also know that there are some exceptions for certificate validation when it comes to ...
- 348
0
votes
2
answers
604
views
Does a certificate revocation list (CRL) keep it's entries at least as long as the certificate would have been valid?
This question is specifically about certificates that should have had a long lifetime, but were revoked quickly.
Is every CRL issued by this CA guaranteed to include its revocation, as long as the ...
- 3
1
vote
0
answers
374
views
Any vulnerability of OCSP for proof of concept
I have an assignment in which I have to implement OCSP and do a proof of concept of a vulnerability.
My idea was to implement OCSP without using a nonce (this is done) and then perform a replay attack....
- 11
1
vote
5
answers
932
views
How does a digital certificate prove authenticity?
Imagine the following scenario:
We have Bob that wants to send a message to Alice. Both have a public/private key. Bob uses his private key to sign the digest (hash of the message) with it's private ...
- 13