Revocation after expiration?


#1

Suppose a certificate just expired, like few minutes ago. Should a client still try to revoke it under assumption that a browser may have a local clock that is off by few hours?


#2

Assuming the private key has been compromised?

I’m not sure if after revocation the cached OCSP responses are being updated. Would be good, ofcourse, but I can also understand if incorrect OCSP responses after revocation can linger in the cache of the CDN.


#3

My scenario is about emergency renewal. If due to bugs or mismanagement the renewal does not happen until the first user complains about expired certificate, should the system still try to revoke the old certificate after getting new one?


#4

If you’re just renewing a certificate normally, and the old certificate’s key isn’t compromised, there’s no need to revoke the old one.


#5

Hm, does this defeat a purpose of automating everything? I.e. if the key was compromised, I do not want to remember to run some obscure manual command to revoke the certificate. Rather I would prefer to know that this happens automatically as a part of normal operational cycle.


#6

What would you like to happen automatically? Revocation?


#7

Yes, I want to revoke the old certificate automatically after the the new certificate was deployed and backed up.


#8

Why would you do that automatically for every certificate, even if the key wasn’t compromised? Only for the very unlikly clock skew scenario?


#9

You should take care that the key never gets compromised, this is even declared in the terms of agreement, IIRC. If your key gets compromised anyway, you should investigate and not rely on automatic revocation upon renewal.


#10

It is precisely to avoid the key getting compromised I wanted to revoke the certificate. I.e. in my case it is more likely that the compromise happens through an old backup rather than through the access to the current server.

But I guess I should not put the key into the backup in the first place (that system comes from pre-letsencrypt days). With shown reliability of letsencrypt I can just assume that an extra time to get the certificate after restoration from a backup will be minuscule compared with time to restore from backup.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.