Revoked cert still valid at crt.sh


#1

I revoked a certificate a few days ago (to create a new one with one altname more) and its still displayed as unrevoked at crt.sh. When i try to revoke it again certbot tells me, that it’s already revoked.

Is it that slow or went something wrong?


#2

I’m not sure if the listed revocation mechanisms are actually for end user certificates.

For example, OneCRL is for intermediate certificates and Google mentions something about “EV CRLs and CRLs with good reason codes”.

So my idea about this is you’re not going to check the revocation status through crt.sh.

You might want to use SSLLabs’ SSL Server Test. It has a “Revocation status” item.


#3

I would need to install the old certificate to use this. Is there some service where i can upload the cert to get the revokation status (crl, ocsp)?


#4

It’s orthogonal to your question, but simply issuing a new certificate isn’t a reason to revoke the old one. The only real reason to revoke a certificate is if you suspect a compromise of the private key.


#5

You could check the OCSP server of Let’s Encrypt of course…

openssl ocsp -issuer chain.pem -cert cert.pem -verify_other chain.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host ocsp.int-x3.letsencrypt.org

But I’m not quite sure why: you don’t trust Let’s Encrypt revoking your cert when you asked them to, even when it says it’s already revoked when you tried a second time? :stuck_out_tongue:


#6

https://certificate.revocationcheck.com/ can check certificates you upload to it

And Osiris was right that Rob’s crt.sh “revocation” indicator is focused on these special services like OneCRL that don’t handle ordinary routine revocations like yours. I think a few of us have mentioned now that this is confusing for end users.


#7

I have a new one with a new key, which completely replaces the old one … so i think its a good practice to make sure, that the old one cannot be used anymore. I could just let it expire, but that way it’s explicitly revoked now (and possibly letsencrypt will not mail me renewal notices until its finally expired).


#8

Thanks, this works. And the cert is correctly marked as revoked.


#9

That’s only necessary if there’s a chance the private key is compromised. If you just delete the private key, there’s no need to revoke the cert, unless you’re afraid the NSA/Aliens will somehow restore the deleted file from the file system :wink:

Not revoking unnecessarily on the other hand also has it’s merits: keeps the size of the CRL from growing too big.


#10

Let’s Encrypt doesn’t publish a CRL for leaf certificates. Only OCSP is supported. However revoking previously issued certificates does slightly increase the workload for OCSP I believe.


#11

No aliens, just a clean state, telling everyone which certificate is invalid now. I guess the crl should be no problem with 90 Day lifetime and for ocsp is send a stapled response.


#12

I guess it only increases the storage, as the load comes from the client asking if the current certificate is valid.


#13

Well frankly, to put it this way: nobody probably cares :wink: You’ve switched out your certificate as you said, there’s probably no one who has anything to do with the old one :slight_smile: Unless you’ve got some freaky strange set up going on? Or just a plain webserver? :stuck_out_tongue: Because if it’s the latter: the clients won’t care :slight_smile:


#14

Ah, that’s true :slight_smile: Forgot about that. I guess for OCSP there’s no difference in telling the server (or client) the certificate is OK or revoked: either way the OCSP response has to be signed et cetera.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.