About Revocation Checking

This section provides an explanation of certificate revocation and how to use Venafi Trust Protection Platform™ to check the revocation status of certificates. Using Trust Protection Platform, you can verify the status of certificate revocations in the following ways:

  • Automatically, by letting Trust Protection Platform check the revocation status on at least a daily basis and notify you when a certificate is found to be revoked. By default, automated checking occurs at least once per day. In the event that Trust Protection Platform discovers a revoked certificate, an automatic notification is sent to certificate owners, enabling them to take appropriate actions to avoid security issues.
  • Manually, through the Check Revocation Now option. When you do a manual revocation check, Trust Protection Platform uses OCSP first, to try to verify the individual certificate being checked. If OCSP fails, Trust Protection Platform will check via the certificate's CDP.

Revocation checking is an important part of your PKI strategy for the following reasons:

  • If you request that a certificate be revoked, you can verify that the CA took action to perform the revocation.
  • When certificates are being added through Discovery, it is important to know whether or not the certificate is revoked, so you know what action to take on the certificate. For example, revoked certificates should not be in use any more, so it may not be worth the effort to try to identify their owners.
  • If a revocation occurs outside Trust Protection Platform, you can be notified, and you can secure a new certificate for the affected systems. This is usually because a certificate owner in your organization is not aware of the process to revoke a certificate in Trust Protection Platform.

If a certificate is revoked, systems that rely on that certificate may incur an outage.

Revocation checking happens automatically as the CRL Distribution Points are verified by Trust Protection Platform. Every 24 hours, any certificate that could not be checked for revocation by the CDP, either because it is not tied to a CDP, or because the CDP was unavailable when checked, will be checked via OCSP to see if the certificate has been revoked.

NOTE  Some CAs (for example, Let's Encrypt) do not use CRL Distribution Points at all and rely solely on OCSP for certificate revocation validation. Certificates from these CAs will only be checked automatically for revocation once per day.

IMPORTANT  When a separate certificate from the CA (other than the issuing certificate of the certificate being checked) is signing the OCSP response, Trust Protection Platform requires it to have the OCSP key usage extension on the certificate.