Certificate Lifecycle Management
Last updated
Was this helpful?
Last updated
Was this helpful?
In the context of a Public Key Infrastructure (PKI), situations arise where an issued certificate needs to be invalidated. Three primary techniques address this: Certificate Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP), and Short Lifetime Certificates.
Historically, CRLs were the standard for PKIs. A Certification Authority (CA) periodically publishes a list of revoked certificates, including serial numbers, revocation times, and reasons.
CRLs are stored on CRL Distribution Points (CDPs), with HTTP being today's by far most common access method. Because CRLs can become quite large, systems cache them.
The CRL validity enables certificate revocation checks without direct CA involvement and CRL caching even ensures availability during CDP outages. However, they suffer from latency in propagating revocations.
OCSP provides real-time certificate status checks. It is an HTTP-based protocol, specified in . Clients query an OCSP responder to verify a single certificate’s validity.
It eliminates the need for large CRLs and reduces the latency between revocation of a certificate and the certificate actually becoming invalid everywhere.
It also allows to consider the live status of the certificate subject, like whether the user the certificate was issued for is still listed in some user directory.
Issuing short-lived certificates (e.g., 1-2 weeks, sometimes only a single day) minimizes the impact of compromised keys and avoids the need for revocations.
It requires systems to fetch fresh certificates more frequently and is therefore unusable in some cases.
Whether the revocation latency is better or worse than CRLs depends on the PKI design, but it cannot get as low as OCSP.