Main section
Revoking SSL/TLS certificates – Restoring security in critical situations
Revocation is the process of invalidating an SSL/TLS or S/MIME certificate before its expiry date (withdrawal). Find out here why this step is sometimes essential and how you can securely and swiftly update your certificates with SwissSign.
What does revocation mean?
Certificate revocation is the process of declaring a valid SSL/TLS certificate invalid or cancelling it before it expires. Both the certificate holder and the certificate authority (CA) can revoke a certificate. For email certificates with a company entry, the relevant organisation can also request revocation.
Revocations are published in certificate revocation lists (CRLs) or displayed using the Online Certificate Status Protocol (OCSP).
Examples:
- The user has forgotten their private key password.
- The key material has been corrupted (see also the section entitled ‘Reporting a key compromise’).
- The information in the certificate is no longer up to date (e.g. email address, someone has left the organisation or there has been an organisation name change).
- Mis-issuance: certificates did not meet the formal requirements set down by the CA/Browser Forum at the time of issuance, or contain incorrect information about the certificate holder (e.g. department name instead of a person’s name).
Do you need to revoke a certificate?
You can do so in three ways:
- Digital revocation: you will find a certificate revocation link in your certificate issuance email.
- Online revocation in your Managed PKI: as an operator, you can conveniently select and revoke issued certificates in your Managed PKI via the WebGUI. Revocation is also possible through the automated interfaces.
- Offline revocation: the offline revocation form (PDF) is available for offline revocation.
You must revoke your certificates if…
Revocation should always take place if the certificate’s security or integrity is compromised.
For example:
- After a server hack.
- When an employee whose e-mail address is in the certificate leaves the company.
- In case of loss or theft of the server or other security-related infrastructure.
What should you consider after revocation?
- Certificate replacement: after revocation, a new SSL/TLS certificate should be requested and installed.
- Server configuration check: ensure that the new certificate is properly installed.
Automation and protection against future problems
SwissSign’s Managed Public Key Infrastructure (MPKI) allows you to automate certificate management and minimise risks such as key loss or faulty certificates.
Discover our MPKI solution for secure and efficient certificate managementQuestions & Answers
Who can revoke the certificate? Company or only the person to which the certificate belongs?
Either of these.
Reporting a key compromise
If a key compromise is discovered, it is important for the certificate to be revoked immediately or for the key compromise to be reported to SwissSign.
If it is one of your own certificates:
- Shop: if the certificate was ordered in the shop, please follow the instructions above.
- MPKI: for an MPKI, you can block the corresponding certificate yourself using your MPKI access
If it is somebody else’s certificate, please follow the steps below.
- If possible, please notify the certificate holder.
- Send us an email containing the points below to [email protected]:
1) The email must have the following subject: ‘Key compromise SwissSign certificate’
2) The email must contain the following elements in the body (not as an attachment):
a) The certificate concerned (base64/PEM encoded)
b) The Certificate Signing Request (CSR) signed with the private key concerned containing the Common Name (CN) ‘Key compromise SwissSign certificate’ (base64/PEM encoded; all other CSR fields can have any value)
c) Details of the applicant in addition to the email address, if applicable
Terms and revocation
Technical terms and contractual terms
A certificate has a specific validity period (technical term). For the Managed PKI service, this is independent of the commercial contractual term (service period). Certificates can therefore be issued during the service period whose validity extends well beyond the end of the service period. The contract is open-ended and can be terminated at the end of the one-year service period with notice of three months.
Revocation with re-issue
Certificate revocation and subsequent re-issue (e.g. change of employee) is considered to be a single certificate.
Revocation – contract termination
At the end of the contract, any certificates that are still valid will be withdrawn, either by you or by our support team. To do this, please contact: [email protected] or call +41 848 77 66 55.
Are revoked certificates deleted from the CRL after a certain amount of time?
This depends on the type of certificate:
- Revoked SSL/TLS and email certificates are deleted from the Certificate Revocation List (CRL) once the standard period of validity has expired.
- Revoked certificates for signing documents stay on the CRL even after the expiry date specified on the certificate. For signature validation, it’s important to know whether or not the certificate was valid at the time of signing.
Can I test a certificate and will I receive reimbursement if the certificate is revoked?
Essentially, the end customer or partner does not have a claim to any refund or credit in accordance with the GTC. So it’s always a question of goodwill on the part of SwissSign.
We currently follow the goodwill rules below:
All customers can request a refund of the issued certificate within 30 days.
From 30 days after the certificate is issued, a credit equivalent to the remaining duration of the certificate concerned will be given.
Please note: certificates revoked by the customer without prior contact with our support regarding a refund request will not be eligible for a refund or credit.
