I’ve revoked a certificate, but browsers still show it as fine. SSL labs check does show it revoked, but what’s the point in revoking a certificate if browsers don’t notice?
Apols if this is a stupid question, I’m not completely new to certificate mgmt but realise there’s lots I don’t know.
Your browser may have a valid OCSP response in cache. There are valid up to 4 days so I guess that after at most 4 days your cert will appear as revoked in browsers (assuming browsers support and check OCSP)
Google chrome seems to ignore completely OCSP and, according to http://www.zdnet.com/article/chrome-does-certificate-revocation-better/ google compile and push CRL to chrome via updates.
As Letsencrypt only do OCSP and do not have (to my knowledge) a CRL (Certificate revocation list) I wonder how letsencrypt revocation can work on google chrome. It would be nice to have an answer from letsencrypt staff ^^.
Client side OCSP is a privacy risk. Chrome for example has it disabled (@Nit: it doesn’t “ignore” the OCSP reply, it just doesn’t query at all).
The right method of using OCSP is OCSP stapling. That way, there’s no privacy risk for the client.
More usefull info: Mozilla blog about revocation and OCSP
That's what I mean by ignore. But anyway, wrong choose of words, my bad.
I am still interested by knowing how letsencrypt revocation can work with chrome, without OCSP stapling, which won't be used by an attacker if the private key leaked.
Note (to myself) that this can be fix then support for Must-Staple / TLS-Feature will be deployed to the production boulder (An letsencrypt client option could also be added to ease deployment of this cert extension).
As far as I know: not.
[quote="Nit, post:6, topic:11531"]
Note (to myself) that this can be fix then support for Must-Staple / TLS-Feature will be deployed to the production boulder (An letsencrypt client option could also be added to ease deployment of this cert extension).[/quote]
Unfortunately, browser support for Must-Staple is quite premature.. Firefox has the feature in the development version (45), but that version isn't stable yet.. Chrome doesn't have support at all. I don't know about other browsers.
You can use two method check.