Why not revoke a certificate after renewal or end of use?

It seems that Let’s Encrypt does not recommend revoking an old certificate after it has been renewed. I wonder why, since it seems that revoking it could have a number of benefits:

  • You could supply a contact email for use in special circumstances without having to deal with expiration email for a renewed certificate whenever the set of domains in your certificate changes, or for no longer needed certificates. (I don’t know if Let’s Encrypt sends expiration email reminders for revoked certificates.)

  • The CA could more directly monitor certificate renewal status if the CA needs to initiate revocation, like in the recent incident.

  • It could potentially reduce load at the CA for generating OCSP responses, because a revoked certificate only needs a single signed revoked response, whereas a valid certificate needs a continuous stream of signed good OCSP responses.

So what are the downsides? Is it complex to implement correctly in ACME clients? I can imagine you need some extra verification that your new certificate is fully deployed before you revoke your old certificate.

1 Like

It seems that Let’s Encrypt does not recommend revoking an old certificate after it has been renewed. I wonder why, since it seems that revoking it could have a number of benefits:

You could revoke after issuing a new certificate. We know of some subscribers who do that from parsing log data.

The CA could more directly monitor certificate renewal status if the CA needs to initiate revocation, like in the recent incident.

This is something that we're actively discussing internally and with client developers.

You could supply a contact email for use in special circumstances without having to deal with expiration email for a renewed certificate whenever the set of domains in your certificate changes, or for no longer needed certificates. (I don’t know if Let’s Encrypt sends expiration email reminders for revoked certificates.)

We do not send expiration notifications for revoked certificates per https://github.com/letsencrypt/boulder/blob/master/cmd/expiration-mailer/main.go#L277-L290

It could potentially reduce load at the CA for generating OCSP responses, because a revoked certificate only needs a single signed revoked response, whereas a valid certificate needs a continuous stream of signed good OCSP responses.

We resign OCSP responses every 72h which is slightly quicker than the root programs mandate to allow us be on the safe side if there if we encounter an OCSP issue. With that said, OCSP response signing is the majority of what our HSMs handle on a daily basis and shedding some load is a good idea.

2 Likes

I'm doing that. Partially because I agree that it is probably a good idea (though I'm not 100% sure), and partially to test that my ACME revocation code still works :slight_smile:

2 Likes

One rare issue is that if your server explodes right after renewing, and you have to revert to a backup, it’s a shame if your old certificate has been revoked.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.