Knowledge Base

Another reason to automate your TLS certificate lifecycle process

TLS certificate revocation: Triggers and timelines

Occasionally, an event occurs in the world of digital security that requires a Certificate Authority (CA) to revoke and replace TLS certificates. Revocation may be triggered when certificates can no longer be trusted to provide secure connections and must be revoked to protect users, for example, due to an industry-wide vulnerability such as the Heartbleed bug. Other revocation triggers may include compliance issues with either the TLS certificate or the CA itself.

When faced with a revocation event, the CA must follow specific industry guidelines outlined in section 4.9.1.1 Reasons for Revoking a Subscriber Certificate in the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates. These requirements define the circumstances and timelines for a revocation: some situations require certificates to be revoked within 24 hours, while others allow up to 5 days. CAs are obligated to meet these deadlines, no matter if the event involves a single certificate or is a mass revocation.

24-hour revocation

The Baseline Requirements specify that a 24-hour revocation is required when: 1) the site owner requests it; 2) the certificate was issued without proper authorization; 3) the secret security key is stolen, compromised, or easily cracked; or 4) the CA can no longer confirm the owner's domain control.

5-day revocation

The Baseline Requirements also specify a separate set of reasons to determine when a revocation must happen within 5 days, including a range of compliance issues with either the certificate or the CA itself.

Examples include improper or fraudulent certificate use, a broken agreement between the website owner and the CA, the website owner's loss of legal rights to use the domain, incorrect certificate information, improper certificate issuance, or flaws in the security keys, making them weak or vulnerable.

What can I do to lessen the impact of a revocation?

While preparing for a revocation event may not be at the top of your daily checklist, taking a few proactive measures now can help you respond effectively if such an event occurs. Although this preparation cannot eliminate disruptions from a revocation— which may significantly affect your planned activities—it makes it more feasible to meet the required timeline.

This preparation also has a positive long-term effect, making your day-to-day TLS certificate lifecycle management easier and helping you get ready for upcoming industry changes. For example, under the Baseline Requirement, the maximum validity period for TLS certificates will be reduced in several stages: first from 398 days to 200 days, then to 100 days, and ultimately to just 47 days. These changes will require organizations to replace certificates more frequently and on time. Learn more about the shortening of certificate lifetimes.

Protecting against revocation events

• Ensure your systems can process certificate revocations and replacements quickly and without disruption.
• Regularly review your certificate inventory to know how many certificates you have and where you are using them.
• Implement automated certificate lifecycle processes to enable swift response and readiness.

Looking for an automation solution?

DigiCert offers multiple automation solutions through Trust Lifecycle Manager and CertCentral, including support for ACME. DigiCert’s ACME allows automation of DV, OV, and EV TLS certificates and includes support for ACME Renewal Information (ARI).

Publicly trusted TLS server certificates should not be used on systems that cannot tolerate timely revocation. DigiCert also offers private-trust TLS server certificate solutions that may be better suited to such use cases.