Certificates have expiration dates, but sometimes trust needs to be withdrawn before that date arrives. Certificate revocation is the mechanism that allows organizations to invalidate a certificate immediately when something goes wrong, whether a private key has been compromised, an employee has left, or a domain has changed ownership.
When a Certificate Authority issues a digital certificate, it sets a validity period: a start date and an expiration date. Under normal circumstances, the certificate is trusted throughout that window and rejected afterward. But what happens when a certificate needs to be invalidated before it expires?
This is where certificate revocation comes in. Revocation is the process by which a CA declares that a previously issued certificate should no longer be trusted, even though it has not yet expired. Without revocation, a compromised certificate would remain valid until its natural expiration, potentially giving an attacker days, weeks, or months to impersonate a legitimate server, sign malicious code, or intercept encrypted communications.
The PKI ecosystem provides two primary mechanisms for communicating revocation status to clients: Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP). Each approach has distinct strengths and trade-offs, and understanding them is essential for anyone managing certificates at scale.
The web server periodically queries the OCSP responder for the status of its own certificate. The signed OCSP response is cached locally on the server. This happens in the background and does not affect user requests.
When a client connects, the server includes the cached OCSP response in the TLS handshake (specifically, in the CertificateStatus message). The client receives the certificate and its revocation status in a single round trip.
The client verifies that the stapled OCSP response is signed by the CA, is still within its validity window, and confirms the certificate's status as "good." Because the response is signed by the CA, the server cannot forge a favorable status.
Instant revocation workflows — Evertrust CLM lets you revoke any certificate in your inventory with a single action, automatically notifying the issuing CA and updating your internal records. When a key compromise is detected, every second counts.
CRL and OCSP management — Evertrust PKI operates as a full Certificate Authority with built-in CRL publishing and OCSP responder capabilities. CRLs are generated on schedule and OCSP responses are served with configurable freshness intervals, ensuring relying parties always have access to current revocation data.
Revocation monitoring — Evertrust continuously monitors the revocation status of all certificates in your inventory, alerting you if a certificate you depend on has been revoked by an external CA. This is critical for chain integrity.
Automated replacement after revocation — Revoking a certificate is only half the job. Evertrust automates the issuance and deployment of a replacement certificate immediately after revocation, preventing the outages that often follow manual revocation processes.
