Exploring Certificate Revocation Process
1 min readApr 6, 2024
This article aims to explore the three ways used to check if a given certificate is revoked or not.
Some of the reasons a certificate might have been revoked are:
- keyCompromise.
- affilitationChange.
- superseded.
- privilegeWithdrawn.
I am going to use the certificate from “www.baccredomatic.com” as an example.
Certificate Revocation List (CRL)
This is a list, maintained by the Certificate Authority (CA), which holds information regarding which certificates have been revoked. They are typically, in DER format (binary). It holds the serial number of all revoked certificates.
General process:
- The client connects to the Server.
- The server replies with the certificate for the website.
- The client locates and downloads CRL info inside the provided certificate.
- The client takes the serial number of the provided certificate and searches this value in the CRL list.
** If there is a match, then the certificate has been revoked.
** If there is no match, then the certificate is good to use.
Example:
- Acquiring certificate
openssl s_client -connect www.baccredomatic.com:443…
