Inhaltsverzeichnis
Runbook: Revoke Certificate
Duration: ~5 minutes
Role: PKI Operator / Security
Priority: HIGH on compromise
Workflow
flowchart TD
A[Revocation request] --> B{Reason?}
B -->|Compromise| C[Revoke IMMEDIATELY]
B -->|Replacement| D[Revoke planned]
B -->|Error| E[Check + revoke]
C --> F[Update CRL]
D --> F
E --> F
F --> G[Distribute CRL]
G --> H[Update OCSP]
H --> I[Notification]
I --> J[Documentation]
style C fill:#ffebee
style F fill:#fff3e0
style G fill:#e3f2fd
Revocation Reasons (RFC 5280)
| Code | Reason | When to use |
| —— | ——– | ————- |
| 0 | unspecified | Default (not recommended) |
| 1 | keyCompromise | Private key compromised |
| 2 | cACompromise | CA compromised |
| 3 | affiliationChanged | Organization changed |
| 4 | superseded | Replaced by new certificate |
| 5 | cessationOfOperation | Service discontinued |
| 9 | privilegeWithdrawn | Permission revoked |
Step 1: Identify Certificate
# Search by serial number openssl x509 -in certificate.pem -serial -subject -noout # Search in CA database grep -r "CN=server.example.com" /etc/pki/CA/index.txt
# PowerShell: Find certificate Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*server.example.com*" } | Select-Object SerialNumber, Subject, Thumbprint
Step 2: Perform Revocation
OpenSSL (CLI)
# Revoke certificate openssl ca -config openssl.cnf \ -revoke /path/to/certificate.pem \ -crl_reason keyCompromise # Alternative: By serial number openssl ca -config openssl.cnf \ -revoke_by_serial 01234567890ABCDEF \ -crl_reason keyCompromise
C# (WvdS.System.Security.Cryptography)
// Revoke certificate and create CRL var crlBuilder = new CertificateRevocationListBuilder(); // Add revocation crlBuilder.AddEntry( revokedCert.SerialNumber, DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise); // Sign CRL (Hybrid mode) using var issuerCert = new X509Certificate2("ca.pfx", "password"); var crlNumber = BigInteger.Parse("42"); var nextUpdate = DateTimeOffset.UtcNow.AddDays(7); byte[] crl = crlBuilder.Build( issuerCert, crlNumber, nextUpdate, HashAlgorithmName.SHA384, CryptoMode.Hybrid); File.WriteAllBytes("crl.der", crl);
Step 3: Generate and Distribute CRL
# Generate new CRL openssl ca -config openssl.cnf -gencrl -out crl.pem # Convert CRL to DER format (for distribution) openssl crl -in crl.pem -outform DER -out crl.der # Verify CRL openssl crl -in crl.pem -text -noout
Distribution Points:
| Method | Target | Command |
| ——– | ——– | ——— |
| HTTP | Web server | cp crl.der /var/www/pki/crl.der |
| LDAP | Active Directory | ldapmodify -f update-crl.ldif |
| CDP | In certificate | Automatic via URL |
# Copy CRL to web server scp crl.der webserver:/var/www/html/pki/crl.der # Nginx/Apache reload (if cached) ssh webserver "systemctl reload nginx"
Step 4: Update OCSP (if used)
# OCSP responder index updates automatically (OpenSSL CA) # Responder reads /etc/pki/CA/index.txt # Test OCSP response openssl ocsp \ -issuer intermediate.pem \ -cert certificate.pem \ -url http://ocsp.example.com \ -resp_text
Expected response after revocation:
Cert Status: revoked Revocation Time: Dec 15 10:30:00 2024 GMT Revocation Reason: keyCompromise
Step 5: Notification
Required notifications:
| Recipient | Method | Content |
| ———– | ——– | ——— |
| Certificate holder | Serial number, reason, next steps | |
| Security Team | Ticket | Incident details |
| Affected systems | Alert | Automatic via monitoring |
# Send e-mail template cat << 'EOF' | mail -s "Certificate Revoked - Action Required" admin@example.com Certificate has been revoked: Serial number: 01:23:45:67:89:AB:CD:EF Subject: CN=server.example.com Reason: Key Compromise Date: $(date -Iseconds) Action required: 1. Configure service with new certificate 2. Remove old certificate from all systems Questions: pki-team@example.com EOF
Step 6: Documentation
| Field | Value |
| ——- | ——- |
| Serial number | 01:23:45:67:89:AB:CD:EF |
| Subject | CN=server.example.com |
| Revocation reason | keyCompromise |
| Revocation date | 2024-12-15 10:30:00 UTC |
| CRL number | 42 |
| Operator | Operator-Name |
| Ticket | SEC-2024-0815 |
Emergency: Mass Revocation
On CA compromise: → Emergency Revocation Runbook
# Revoke all certificates of a CA for cert in /etc/pki/CA/newcerts/*.pem; do openssl ca -config openssl.cnf -revoke "$cert" -crl_reason cACompromise done # New CRL with short validity openssl ca -config openssl.cnf -gencrl -crldays 1 -out emergency-crl.pem
Checklist
| # | Checkpoint | Done |
| — | ———— | —— |
| 1 | Certificate entered in CRL | |
| 2 | CRL signed and valid | |
| 3 | CRL available on all CDPs | |
| 4 | OCSP responds revoked | |
| 5 | Certificate holder notified | |
| 6 | Security ticket documented |
Troubleshooting
| Problem | Cause | Solution |
| ——— | ——- | ———- |
already revoked | Duplicate revocation | Ignore |
unknown serial | Not from this CA | Check CA |
| CRL invalid | Signature error | Check CA key |
OCSP responds good | Cache/sync | Restart OCSP responder |
Related Runbooks
- Issue Certificate - Replacement certificate
- Emergency Revocation - Mass revocation
- Validation Quick Reference - CRL/OCSP verification
« <- Renew Certificate | -> Health Check »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 01:43 AM
