A revoked SSL certificate, just like an expired certificate, is the death certificate for a website. When a web browser shows an error that the website is using a revoked certificate, nobody will visit the website.
About SSL Certificate Revocation
SSL certificate revocation is the act of declaring that the SSL certificate that has been issued is no longer valid i.e. its trust has been revoked by the issuer.
A revoked certificate does not mean an expired certificate. It means that it is an Active certificate that is no longer valid.
End-users cannot directly revoke a certificate. Only the Certifying Authority (CA) that has issued the certificate can revoke it.
There are various reasons why a certificate might get revoked by a CA:
- The private key has been lost or compromised, therefore it can no longer be trusted
- The previous owner of a domain no longer owns that domain or ceases operations entirely
- The certificate was discovered to be counterfeit
- The certificate has been re-issued (most common reason)
So have you re-issued a certificate for your website recently and forgotten to update it on the web server or web hosting service?
SSL Certificate Revocation List (CRL)
When a CA revokes a certificate, a public declaration has to be broadcast. This is to inform all web browsers and mobile apps to stop trusting a domain/subdomain’s (leaf) certificate.
The CA does this by adding a record to a SSL Certificate Revocation List (CRL) which is publicly available online and can be looked-up by web browsers and mobile apps.
The CRL is a log of all Active/Expired/Revoked certificates issued for your hostname (domain/subdomain). It includes precertificates and leaf certificates.
You can learn more about how certificate issuance and revocation is logged from this article.
CRL logging is part of Certificate Transparency (CT) operations as agreed between CAs and organisations that manage Browsers and Operating Systems.
Checking a CRL for your Website certificate
You can easily check the SSL Certificate revocation status for your certificate by visiting the crt.sh website and searching for issued leaf certificates for your hostname. This one website monitors all CRL logs globally.
The certificates issued will be listed in the reverse chronological order i.e. latest issued certificate listed first. Although the log includes precertificates, you only need to check leaf certificates issued for your hostname, as precertificates are not for use with websites or web servers.
A revoked certificate will have a status of revoked in the Revocation section.
To download the SSL certificate click the Certificate: link in the Certificate section. This is useful if you have lost your certificate file. You can use it to setup the certificate again for your server if you have the private key.
Alternately, you can also open the leaf certificate downloaded from the CRL in any text editor, to compare and verify if the certificate currently installed on your website is the last issued leaf certificate.