The average number of certificates an organization needs to manage grew 43 percent in 2020, so having a good certificate management system is paramount to success for any enterprise. SecureW2’s Managed PKI is turnkey and gives admins everything they need for certificate management. Learn from one of our customers how easy it was to get set up with SecureW2.
Certificate revocation is a (usually manual) process in which a certificate is deemed invalid before the end of its lifecycle. It can be due to any number of reasons (which will be covered later in this article), but in short, it’s an important method that lets the RADIUS know to immediately stop authenticating a certificate from then on.
When Should A Certificate Be Revoked?
Revocation is done either when the device is compromised or if an employee leaves the organization. Generally speaking, these events happen rarely, therefore certificates need not be revoked frequently.
Revocation is also done in the case of a device re-enrolling for a certificate. Once this is done, the old valid certificates are added to the Certificate Revocation List (CRL).
What is a Certificate Revocation List?
A certificate revocation list, more commonly called a CRL, is exactly what it sounds like; a list of digital certificates that have been revoked.
A CRL is an important component of public key infrastructure (PKI). The CRL is populated with revoked certificates from a trusted certificate authority (CA), another part of the PKI. Importantly, only the CA that issued the certificate has the power to revoke it and place it on the CRL.
A certificate that expires rather than revoked does not go onto the CRL because an expired certificate is automatically rejected. An expired certificate is rejected at the first step of the authentication process, well before the CRL is checked, so there’s no need to include it there.
Furthermore, certificates that reach their expiration date while on a CRL are automatically removed from the list. Regardless of the reason for their revocation, they won’t be authenticated anymore anyway. This procedure also serves the purpose of reducing the CRL list size, which can slow down authentication time if it becomes too big.
Reasons for Certificate Revocation
The reason a certificate is revoked is actually recorded in the CRL, so you can reference it when deciding whether to reissue a certificate or keep it revoked. Here are the RFC 5280 revocation codes (called Reason Codes), usually just referred to by their assigned number.
- unspecified (0)
- A catch-all code for any reason that isn’t specified. Usually the default option.
- keyCompromise (1)
- The certificate itself was compromised, specifically the private key contained in the certificate.
- cACompromise (2)
- The certificate authority that issued this certificate was compromised, which means all of the certificates it has ever issued are now compromised.
- affiliationChanged (3)
- This code is reserved for when the user certificate was issued to leaves the organization.
- superseded (4)
- This code indicates that the certificate was revoked because user information had to be changed, such as the legal name of the user being changed.
- cessationOfOperation (5)
- This is a simple one, it just means that the certificate was replaced.
- certificateHold (6)
- This is something of a generic code that indicates a certificate has been revoked only temporarily.
- removeFromCRL (8)
- Somewhat counterintuitively, this indicates that the certificate authority has been removed from the network, and thus, CRL.
- privilegeWithdrawn (9)
- Similar to affiliationChanged, this code is reserved for when the user of the certificate, a person or device, has had their network privileges revoked. This usually occurs when the person leaves the organization or a device is decommissioned, then their certificate is also retired.
- aACompromise (10)
- The RADIUS server handling the certificate authentication was compromised, and so any certificate that passed through may have also been compromised.
CRL Additions and Alternatives
A CRL is not static, it is made up of different components. Additionally, there are more options for certificate revocation.
Delta CRL
A delta CRL is an optional auxiliary CRL that only contains the changes made since the last base CRL update. A Base CRL is the same standard CRL we’ve been talking about this whole time, it’s just called “Base” in relation to a delta CRL if one is present.
Large organizations, or ones that need to revoke certificates regularly, often have CRLs that grow to huge lengths. Since a certificate has to stay on the CRL until it reaches its natural expiry date, it may stay on the list for several years. At some point, the CRL contains so many entries that it takes the RADIUS a significant amount of time to download and check it, which impacts authentication speed.
Since no one wants to wait to connect to the internet, the delta CRL is used to speed up the process. The RADIUS stores or caches a copy of the Base CRL internally, then during authentication it only needs to request the delta CRL. The delta CRL contains any certificates revoked since the last Base CRL update and is much shorter. Every week or so the RADIUS downloads a new version of the Base CRL and the Delta CRL is emptied and refreshed.
OCSP
OCSP stands for Online Certificate Standard Protocol. It’s a protocol described in RFC 6960 that can be used to request the revocation status of a digital certificate.
OCSP is simpler and faster than CRLs because the certificate check is performed by the (usually public) CA instead of your PKI, shifting the burden to them. It also carries fewer data and is easier for the CA to parse. However, OCSP is significantly less secure than a full PKI with CRL for several reasons.
First, OCSP has no requirement for encryption, which is inherent in the authentication process used by a PKI. Information is sent in clear text and can be intercepted and used against the organization. Secondly, it is less informative – the only information you can receive from an OCSP request is whether a certificate is “good”, “revoked”, or “unknown”.
But the worst flaw of OCSP is that it is vulnerable to replay attacks. A hacker can intercept a certificate’s “good” response and then replay it to another OCSP request later. Since OCSPs conserve server resources by giving their responses a validity period measured in days, they can reduce the number of necessary responses but risk being compromised in that time period.
Using SecureW2 For Efficient Certificate Management
Configuring your certificate management system is of the utmost importance for properly securing your network. SecureW2 provides an easy-to-use GUI that can make revoking certificates as easy as pressing a button.
Having a GUI is great because it makes certificate management simple enough for anyone to understand. You can easily search for a person by name, MAC Address, Computer Model, or any other attribute you choose to populate your certificates with. This is a great way to make your IT operations more efficient, without having the risks of giving anyone complete access to your PKI.
Managing Certificates with Identity Lookup
During the authentication process, identity lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider. This works as a last line of defense if a disgruntled employee were to perform any malicious activity before the CRL was updated to revoke their network access.
This tool is invaluable to organizations that value security but historically was only available to companies that used LDAP. SecureW2 can eliminate the need for an outdated Active Directory or LDAP Server by developing industry-exclusive Identity Lookup Technology for SAML-based Identity Providers.
The entire process being automated makes managing certificates far easier and more efficient for the end-user and IT personnel.
Certificate Revocation Made Easy
A good PKI allows for organizations to fully manage their certificates with just a few clicks and minimal technological hoops.
SecureW2 provides just such a management suite – it’s intuitive, powerful, and highly customizable to suit any organization’s needs. We have affordable PKI and certificate solutions for organizations of every size, check out our pricing here to see how we can help you.
