Hey guys
I have the exact same problem as mentioned in this thread from 2021 (closed with no solution):
We're using SecurityScorecard to scan our network. For the PROD environment, we're using expensive commercial certificates, but for the staging environments, LE comes to the rescue. Unfortunately, SecurityScorecard complains, that the certificate does not have a revocation control.
I already wrote to SecurityScorecard that this is BS, as one can revoke an LE certificate (Revoking Certificates - Let's Encrypt), but apparently it does not correspond to the standard way of revoking certificates? Can someone shed some light on this, as this is giving us quite a headache. Thanks!
There are two main ways that a CA can designate a certificate as revoked: There is OCSP where a system can query a server for the status of a specific certificate, and there is CRL where the CA regularly publishes lists of revoked certificates, and certificates not on those lists are considered still valid.
A certificate can (and most do) include fields like "Authority Information Access" and "CRL Distribution Points" which lists the OCSP and/or CRL addresses so that systems that use the certificate can easily find them, though there are also other ways that systems like web browsers can get them too.
Last year, Let's Encrypt stopped hosting OCSP endpoints in favor of only using CRLs. (Also read the blog posts linked from that one for even more context.) They should be just as "secure", it's just that a system trying to confirm that a certificate is still valid needs to get a bigger list and see if that certificate is on it, rather than only querying for the information for that specific certificate.
Since all certificates are publicly logged to Certificate Transparency logs, I can actually look up the current certificate for that domain. It lists in the "CRL Distribution Points" that the CRL for it would be published to http://r12.c.lencr.org/115.crl. You can download that file and look at it (on Windows you can actually just double-click it; on other systems if you have openssl you can run something like openssl crl -in 115.crl -text -noout to see what's in it), and see that your certificate with serial number 05:2a:34:45:25:88:bc:1f:a6:cd:04:93:ac:07:a2:0e:24:72 isn't on the CRL list and so is still valid.
I have no idea what that particular security scanning tool is looking for or why it would think that Let's Encrypt's certificates couldn't be revoked.