Skip to main content
banner image
venafi logo

Why We Need Certificate Revocation

Why We Need Certificate Revocation

Certificate Revocation
July 24, 2018 | David Warburton, Senior Threat Research Evangelist, F5 Networks

Certificate revocation is important, if ill-understood, part of enterprise security. In this three-part blog series, I’ll explore why we need it, how you do it, and strategies for maximizing the benefits you get for it.

Certificates Everywhere

The use of digital certificates is growing exponentially. In particular, the move to a fully encrypted web is increasing the use of web server certificates. Google’s HTTPS transparency report shows their Chrome browser now handles around 70% of traffic over TLS with similar numbers reported by Mozilla’s Firefox. LetsEncrypt, the quickest growing and one of the largest Certificate Authorities on the web, create around 600,000 free certificates on their platform every single day.

Certificate Revocation 1.png

                                                              Figure 1: Google Chrome HTTPS Usage

Digital certificates are essential to engendering trust between two otherwise anonymous parties. Certificates are used by our web browsers to ensure that the site we intended to visit really is the one we’ve actually arrived at. In addition to web server certificates, the widespread use of smart cards and the explosion of IoT devices means that certificates are increasingly being used to provide a strong notion of the user and device identity.

Certificates are often installed on to devices by Mobile Device Management (MDM) software or embedded in to smartcards for users to carry in their wallet. Smartcards, despite their small size, are credit card-sized computers that contain just enough computing power to perform a cryptographic operation such as encrypting a number.

Certificate Revocation 2.png

                                                Figure 2: Sample smart card with an embedded microcontroller

In order to use certificates for trust and authentication, there are two important security guarantees that they must provide before we accept them.

1. Is the certificate valid?

First and foremost, has the certificate been created by someone that we trust? Does it come signed by a mutually trusted certificate authority? Does the start and expiry dates appear to be valid? Does it match the name of the person or organization providing the certificate to us? Is all of this information consistent with the signed hash of the certificate so that we can be sure it hasn’t been tampered with?

2. Has it been revoked?

In addition to checking the validity, however, it’s also crucial to check whether that certificate has been revoked. If a user leaves an organization, or changes roles, we must revoke the certificate to prevent it from being used in the future. There may have been a vulnerability discovered in our smart cards, so we may need to revoke possibly thousands of cards at a time. In the worst-case scenario, it’s possible that our certificate authority (the third party entrusted to create certificates on our behalf) was compromised and attackers have created valid looking certificates which can be used in anything from phishing to malware campaigns.

When the Heartbleed SSL/TLS vulnerability was announced there was a huge increase in the number of certificates that were revoked since the exploit allowed attackers to potentially see the private key and decrypt all traffic (past, present and future) as a result.

As we can see, there are many situations in which blindly trusting a certificate because the name and date seem valid would be a Very Bad Thing.

When a new application is released, there will often be lots of security devices deployed in an attempt to provide defense in depth. We often see web app firewalls, intrusion detection systems, SIEM solutions, and yet, in the majority of environments, there are few attempts, if any, to check whether a given certificate has been revoked. To make matters worse, since digital certificates are believed to be an extremely strong method of authentication, there is often an over-inflated sense of trust in the cert that a user holds.

Checking the validity of a digital certificate is easy. The information in the cert is digitally signed so we can use cryptographic algorithms to mathematically verify its contents. Checking the revocation status of certs, however, is not so easy. And this is why I see, time and time again, new deployments that rely on the strong cryptographic assertions provided by digital certificates totally undermined by making no attempt to check for revocation.

In my next post, I will outline the specifics involved in revoking certificates.

Come see how Venafi and F5 are working together to simplify machine identity protection at F5 Agility 2018 in Boston, MA August 13-16. For more information on how F5 can help deliver secure authentication please visit

Learn more about machine identity management. Explore now. 

Related posts

Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Warburton, Senior Threat Research Evangelist, F5 Networks
David Warburton, Senior Threat Research Evangelist, F5 Networks

David Warburton is Senior Threat Research Evangelist (EMEA) at F5 Labs. He works with academia and F5 Networks to help customers understand trends in common and emerging threats to information security.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more