The problem we have with certificates is that they can, at the time of writing, be valid for up to 39 months and we need to look after them during that time. If we lose the key associated with our certificate then whoever obtains the key can use our certificate to prove they are us. Imagine that, someone else on the internet being able to prove that they are you, when they are not you! This is the problem that revocation solves. We can make a request to our CA to revoke the certificate and then browsers will know not to trust it.
Revoking a Let's Encrypt certificate
I use a script called acme_tiny to obtain my Let's Encrypt certificates and I will be using another script from the same author to revoke them, revoke_crt.py. Grab a copy of the script to get started.
If that command succeeds there will be no output and you can switch back to the other window and hit Enter to complete the original command.
That's it, your certificate is now revoked! Hopefully you will never need to actually do this but it's always good to know how.
Verify the revocation
Of course, now that the certificate is revoked, it'd be cool to see the proof. To do that, we're going to use OCSP, the Online Certificate Status Protocol. I've talked about OCSP in the past and how to enable a cool feature called OCSP Stapling, but today we're going to do a manual OCSP request and fetch the response. To do that we will need the root and intermediate certificates from our chain.
There are a few components to this command so let's break them out. We're using openssland specifically the ocsp tool. The -noverify flag tells the tool we don't want it to verify the response and -no_nonce instructs it not to include an OCSP nonce in the request. After that, the -issuer flag provides the certificate chain we created earlier, the -cert flag is the certificate we want to check the status of and the -url flag is the location of the OCSP responder we want to query. The last flag, -header, adds the appropriate HOST header to the request so we don't get a 400 Bad Request back from Let's Encrypt. Once you fire that request, you should get an OCSP response back.
ThisUpdate: Jun 20 12:00:00 2017 GMT
NextUpdate: Jun 27 12:00:00 2017 GMT
RevocationTime: Jun 20 12:35:27 2017 GMT
That's the proof that our certificate has indeed been revoked!