Client detection strategy for server initiated revocations

In light of the recent revocation situation, I realized my client doesn’t know or check whether a cert it’s responsible for renewing has been revoked. Do any other clients check revocation on renewal checks? Is there a standard way they do that via ACME rather than actually reaching out to the OCSP/CRL servers directly?

I intend to test some of this stuff on my own once I have the time. But I figured I’d post the question in case anyone else has already dealt with it.

Like, does the status of the associated order change if the server revokes the cert? Given the possible status values, I suppose the best case is that it would become invalid. But then, is it possible to determine the difference between an invalid order that’s just expired versus an invalid order due to revocation? Do orders even go invalid when they expire? Memory is hazy on the specifics of the order status lifecycle.

Hi @rmbolger,

According to other threads and my recollection, there’s currently no alternative to OCSP for this check (although maybe there should be).