A user may choose to request revocation of a digital certificate under their control. They might make such a request if they accidentally shared the key used to build the certificate on a public website or learn that hackers stole the key off their company's servers. Upon receiving the user's request, the issuing Certificate Authority (CA) may cancel the certificate and thereby remove the HTTPS connection from the certificate owner's domain.
Revocation does not always begin with the user, however. Many CAs have specific guidelines for when they must revoke a certificate. Some of these parameters make revocation possible even if the CA has not heard from the owner.
To illustrate, SSL certificate provider Entrust says it must revoke extended validation (EV) Multi-Domain SSL Certificates under several conditions that do not require initiation from the Subscriber. These include the following:
- It learns that the Subscriber's private key is likely compromised or that someone has abused one of its EV Multi-Domain SSL Certificates.
- It receives notice that a Subscriber has disobeyed part of its Subscriber Agreement.
- It becomes aware of judicial decision that prevents the Subscriber from using the domain name listed in the EV Multi-Domain SSL Certificate or a failure by the Subscriber to renew that domain.
- It learns any of the information contained the EV Multi-Domain SSL Certificate has changed and/or is not accurate.
Under these and similar circumstances, Entrust or another reputable CA will launch an investigation of all Certificate Problem Reports it might have received within 24 hours from the Subscriber or other third-parties. It will determine the nature of the problem, the number of Certificate Problem Reports it has received, and the identities of those who submitted those reports. The CA will then use that information to decide if revocation is a justified response.
Such strict revocation guidelines help emphasize the need for organizations to properly manage their certificates. Organizations should make sure they store their keys in a safe place, for example. Plus, organizations should have automated certificates management solutions that track all anomalies in their certificates and issue alerts when appropriate.
The Venafi Platform is designed to give organizations full control over their certificates. As such, it provides separation of duties so that companies can report on each certificate's status, regardless of the CA that it is issued by. The Venafi platform also integrates with centralized SIEM systems, thereby enabling personnel to track, detect, report, and issue alerts on any certificate anomalies.