← Lessons

quiz vs the machine

Platinum1600

Networking

Certificate Revocation With CRL And OCSP

Understand how a compromised certificate is invalidated before it expires.

5 min read · advanced · beat Platinum to climb

When A Certificate Goes Bad

A TLS certificate has an expiry date, but sometimes it must be invalidated early, for example if its private key leaks. Revocation is how a certificate authority declares a certificate no longer trustworthy before it would naturally expire.

Certificate Revocation Lists

The original approach is a certificate revocation list, a signed list of revoked serial numbers the authority publishes.

  • Clients download the list and check whether a certificate appears on it.
  • The list grows over time and can become large.
  • It can be stale between updates, leaving a window of risk.

Online Status With OCSP

The online certificate status protocol improves freshness. Instead of a whole list, the client asks the authority about one certificate and gets a signed yes or no.

  • It returns a small, current answer.
  • It can add latency and leak which sites a user visits.

Stapling For Speed And Privacy

OCSP stapling fixes those drawbacks. The server itself fetches a recent signed status and staples it into the TLS handshake. The client gets proof of validity without contacting the authority, improving both speed and privacy.

Key idea

Revocation invalidates a certificate before expiry through published lists or online status queries, and OCSP stapling lets the server attach a fresh signed status for speed and privacy.

Check yourself

Answer to earn rating on the learn ladder.

1. What advantage does OCSP have over a certificate revocation list?

2. What does OCSP stapling improve?