Checking the revocation status of certificates

Trust Protection Platform automatically checks the revocation status of all enabled certificates in the inventory on a scheduled basis. You can configure this schedule as frequently as every hour, or as infrequently as once a day. If a certificate is found to be revoked, a notification will be sent to the contacts for the certificate and the status of the certificate will be updated. This keeps system administrators up to date on the status of their certificates in case they were aware of the revocation and need to update the revoked certificate with a new one.

Trust Protection Platform also provides the option to check the revocation status of an individual certificate at any time. Manually checking revocation is useful when you want to confirm that a revoked certificate is actually on the currently published CRL or even suspect that a specific certificate has been revoked without the appropriate approvals.

NOTE  Manual checking of a certificate only checks the current version of the certificate. Trust Protection Platform checks any certificates found on the History tab of enabled certificates (that have not expired or been revoked) during the scheduled revocation check.

You can also view the revocation status of all certificates within a policy object from that object's View > Certificate tabs.

Revocation checking uses a combination of CRL Distribution Points and OCSP endpoints to gather its information.

  1. CRL Distribution points are downloaded per the schedule configured on the Platform tree in Policy Tree, on a schedule ranging from daily to hourly.

  2. When a CRL is downloaded it is digitally verified and all serial numbers that appear on the list are cross-checked with certificates that are in the certificate inventory.

    Any certificates that are found on the CRL are marked as Revoked in the certificate inventory.

  3. During the processing of daily tasks, Trust Protection Platform finds certificates that were not successfully checked for revocation within the last 24 hours. This can happen because the certificate does not have any CRL Distribution Points listed on the certificate. For example, LetsEncrypt certificates never use CRL distribution points. This could also happen because all listed CRL Distribution Points are either disabled or result in an error during check.

    If a certificate was not successfully checked for revocation in the last 24 hours, Trust Protection Platform queries OCSP (Online Certificate Status Protocol) to check the revocation status of these certificates.

  4. If a certificate matches, the certificate is marked as Revoked.
  1. Open the Certificate Inventory and locate a certificate that you want to check.
  2. Open the certificate's details page.
  3. Click Actions > Check Revocation.
  4. Look at the Revocation Checking section to see the status.
  5. If the Results value is "Revocation check pending," refresh the page to see if the check has completed.

For information on viewing the revocation status of multiple certificates at the same time, see Viewing the revocation status of multiple certificates.