Certificate Revocation Monitoring

Monitor certificate revocation status to detect revoked certificates, offline revocation services, and expired Certificate Revocation Lists (CRLs) to ensure certificate trust validation remains current and secure.

Phase 3 Feature - Enhanced chain validation includes revocation checking via CRL and OCSP protocols.

For configuration options, see Certificate Configuration - Revocation Monitoring.

Overview

Revocation monitoring validates that certificates have not been revoked by their issuing Certificate Authority, protecting against:

• Revoked Certificates - Certificates compromised or no longer trusted
• Unknown Revocation Status - Unable to verify revocation (CRL/OCSP unavailable)
• Offline Revocation Services - Network or service connectivity issues
• Expired CRLs - Stale revocation information requiring update
• Revocation Timeouts - Slow or unresponsive revocation services

What Is Certificate Revocation?

Certificate revocation is the process of invalidating a certificate before its expiration date. Certificates are revoked when:

• Private Key Compromised - Certificate's private key has been stolen or exposed
• CA Compromise - Issuing CA has been compromised or no longer trusted
• Certificate Superseded - Certificate replaced (renewal, rekey, or configuration change)
• Cessation of Operation - Service or organization no longer operates
• Affiliation Changed - Certificate holder's organizational affiliation changed
• Certificate Misuse - Certificate used for unauthorized purposes

Revocation Checking Methods

Windows Behavior: Windows certificate validation checks both CRL and OCSP endpoints if available, preferring OCSP for better performance.

Revocation Monitoring Features

Phase 3 (Current Implementation)

Certificate revocation checking is integrated with chain validation and detects three critical revocation states:

Per-Certificate Override: SkipRevocationCheck

Individual certificates can be configured to skip revocation checking:

Use Cases:

• Self-signed certificates (no revocation infrastructure)
• Internal CA certificates (offline revocation services by design)
• Development/testing certificates
• Certificates with known unavailable CRL/OCSP endpoints

Configuration: Set SkipRevocationCheck = true on individual certificate resources in Nodinite

Impact: Certificate will not generate RevocationStatusUnknown or OfflineRevocation warnings, but still detects Revoked status if revocation data is available.

Phase 10 Enhancements (Planned)

Advanced revocation monitoring capabilities planned for future release:

Revocation Error States

Revoked (ERROR)

Description: Certificate has been explicitly revoked by the issuing Certificate Authority.

Severity: ❌ ERROR - Certificate is no longer trusted

Common Causes:

• Private key compromised or suspected compromise
• Certificate replaced (superseded) before expiration
• Certificate issued incorrectly or fraudulently
• Organization requested revocation

Detection Method:

• Windows certificate validation queries CRL/OCSP
• CA publishes revocation status in CRL or OCSP responder
• Revocation status propagated through Windows certificate cache

Recommended Actions:

1. Immediate Replacement: Replace revoked certificate immediately
2. Investigate Cause: Determine why certificate was revoked
3. Review Security: If compromise suspected, audit for unauthorized access
4. Update Applications: Ensure all applications use replacement certificate
5. Remove Revoked Certificate: Delete from certificate stores after replacement

Example Display:

Certificate State: ❌ ERROR
Chain Validation: FAILED

Revocation Status: ❌ Revoked
  Certificate has been revoked by issuing CA
  Revocation Date: 2025-11-10 08:30:00 UTC
  Revocation Reason: Superseded
  
Priority Actions:
1. Replace certificate immediately
2. Verify replacement certificate installed correctly
3. Update IIS bindings, application configurations
4. Remove revoked certificate from stores

RevocationStatusUnknown (WARNING)

Description: Windows cannot determine whether the certificate has been revoked because CRL or OCSP services are unavailable.

Severity: ⚠️ WARNING - Revocation status cannot be verified

Common Causes:

• CRL distribution point URL unreachable (network issue)
• OCSP responder endpoint offline or slow
• Firewall blocking outbound HTTP/HTTPS to revocation services
• Certificate lacks CRL/OCSP extension (no revocation infrastructure)
• Proxy configuration preventing revocation checks

Detection Method:

• Windows attempts CRL download or OCSP query
• Both methods fail or timeout
• Certificate validation continues with unknown revocation status

Recommended Actions:

1. Check Network Connectivity: Verify outbound HTTP/HTTPS access
2. Test CRL URL: Manually download CRL from distribution point
3. Test OCSP Responder: Query OCSP endpoint with certutil -url
4. Review Firewall Rules: Ensure revocation endpoints not blocked
5. Verify Proxy Settings: Check Windows proxy configuration
6. Consider Override: Set SkipRevocationCheck=true if revocation unavailable by design

Example Display:

Certificate State: ⚠️ WARNING
Chain Validation: PASSED (with warnings)

Revocation Status: ❓ Unknown
  Cannot determine revocation status
  CRL URL: http://crl.example.com/ca.crl (unreachable)
  OCSP URL: http://ocsp.example.com (unreachable)
  
Troubleshooting Steps:
1. Test CRL download: curl http://crl.example.com/ca.crl
2. Test OCSP query: certutil -url "certificate.cer"
3. Check firewall rules for outbound HTTP/HTTPS
4. If revocation checking not required, set SkipRevocationCheck=true

OfflineRevocation (WARNING)

Description: Revocation service (CRL or OCSP) is temporarily offline or experiencing connectivity issues.

Severity: ⚠️ WARNING - Revocation service unavailable

Common Causes:

• CRL distribution point server down or unreachable
• OCSP responder service outage
• Network connectivity issue between server and revocation service
• DNS resolution failure for revocation endpoints
• Revocation service undergoing maintenance

Difference from RevocationStatusUnknown:

• OfflineRevocation: Service exists but is temporarily unreachable (transient issue)
• RevocationStatusUnknown: Cannot determine status for any reason (may be permanent)

Recommended Actions:

1. Check Service Status: Verify CRL/OCSP endpoint availability
2. Test from Different Location: Confirm issue is not local network
3. Review DNS Resolution: Ensure revocation endpoint resolves correctly
4. Contact CA: Report service outage to Certificate Authority
5. Monitor for Recovery: Check if issue resolves automatically
6. Temporary Override: Consider SkipRevocationCheck=true during outage

Example Display:

Certificate State: ⚠️ WARNING
Chain Validation: PASSED (with warnings)

Revocation Status: 🔌 Offline
  Revocation service is offline
  CRL URL: http://crl.example.com/ca.crl (HTTP 503 Service Unavailable)
  OCSP URL: http://ocsp.example.com (Connection timeout)
  Last Successful Check: 2025-11-15 14:22:00 UTC
  
Troubleshooting Steps:
1. Verify endpoint availability: curl -I http://crl.example.com/ca.crl
2. Check DNS resolution: nslookup crl.example.com
3. Test from external network to isolate issue
4. Contact CA support if service outage persists

Configuration

Global Revocation Settings

Configure revocation checking behavior for all certificates:

Per-Certificate Overrides

Configure individual certificates to skip revocation checking:

When to Use SkipRevocationCheck:

• ✅ Self-signed certificates (no revocation infrastructure)
• ✅ Internal CA with offline CRL/OCSP (by design)
• ✅ Development/testing certificates
• ✅ Certificates with known unavailable endpoints
• ❌ Production certificates from public CAs (should always check)

Phase 10 Configuration (Planned)

Advanced revocation monitoring settings planned for future release:

Revocation Checking Workflow

Understanding how Windows validates certificate revocation:

Revocation Checking Steps

1. Check Global Setting: Is ValidateRevocation=true?
2. Check Certificate Override: Does certificate have SkipRevocationCheck=true?
3. Check Extensions: Does certificate have CRL Distribution Point or OCSP extensions?
4. Try OCSP First: Query OCSP responder (faster, real-time)
5. Fallback to CRL: If OCSP fails, download and parse CRL
6. Determine State:
   • Valid (OK): Not revoked
   • Revoked (ERROR): Certificate explicitly revoked
   • Offline/Unknown (WARNING): Cannot verify status

Revocation Status Display

Certificate details page shows comprehensive revocation information:

Current Implementation (Phase 3)

Chain Validation: PASSED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Revocation Status: ✅ Not Revoked
  Last Checked: 2025-11-17 10:15:00 UTC
  Method: OCSP
  
CRL Distribution Points:
  • http://crl.example.com/intermediate-ca.crl
  
OCSP Responders:
  • http://ocsp.example.com

Phase 10 Enhanced Display (Planned)

Chain Validation: PASSED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Revocation Status: ✅ Not Revoked
  Last Checked: 2025-11-17 10:15:00 UTC
  Method: OCSP (1,234 ms response time)
  Next Check: 2025-11-17 11:15:00 UTC
  
CRL Information:
  Distribution Point: http://crl.example.com/intermediate-ca.crl
  This Update: 2025-11-15 00:00:00 UTC
  Next Update: 2025-11-22 00:00:00 UTC
  CRL Age: 2 days (✅ Fresh)
  CRL Size: 45 KB (1,234 revoked certificates)
  
OCSP Responder Health:
  Endpoint: http://ocsp.example.com
  Status: ✅ Online
  Response Time: 1,234 ms (✅ Good)
  Last Successful Query: 2025-11-17 10:15:00 UTC
  Availability (24h): 99.8%

Troubleshooting Revocation Issues

Issue 1: RevocationStatusUnknown on All Certificates

Symptoms:

• All certificates show RevocationStatusUnknown warning
• Certificates from multiple CAs affected

Diagnosis:

# Test outbound connectivity to CRL endpoint
$crlUrl = "http://crl.example.com/ca.crl"
Invoke-WebRequest -Uri $crlUrl -UseBasicParsing

# Test OCSP responder
certutil -url "C:\path\to\certificate.cer"

# Check Windows proxy settings
netsh winhttp show proxy

Common Causes:

• ❌ Firewall blocking outbound HTTP/HTTPS
• ❌ Proxy misconfiguration
• ❌ DNS resolution failure
• ❌ Network connectivity issue

Resolution:

1. Verify outbound HTTP/HTTPS access to revocation endpoints
2. Configure Windows proxy if required: netsh winhttp set proxy proxy-server:port
3. Add firewall rules allowing outbound access
4. Test connectivity from monitoring agent server

Issue 2: OfflineRevocation for Specific CA

Symptoms:

• Certificates from specific CA show OfflineRevocation
• Other CA certificates work correctly

Diagnosis:

# Check CRL URL accessibility
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*CN=example*" }
$cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq "CRL Distribution Points" }

# Download CRL manually
$crlUrl = "http://crl.example.com/ca.crl"
Invoke-WebRequest -Uri $crlUrl -OutFile "test-crl.crl"

# Parse CRL
certutil -dump "test-crl.crl"

Common Causes:

• ❌ CA's CRL distribution point server offline
• ❌ OCSP responder service down
• ❌ CA undergoing maintenance

Resolution:

1. Contact CA support to report service outage
2. Check CA's status page for known issues
3. Temporarily set SkipRevocationCheck=true on affected certificates
4. Monitor for service recovery

Issue 3: Performance Degradation from Revocation Checks

Symptoms:

• Certificate validation takes 10+ seconds
• Monitoring agent polling intervals delayed
• Timeouts in application certificate validation

Diagnosis:

# Measure OCSP response time
Measure-Command {
    certutil -url "C:\path\to\certificate.cer"
}

# Check CRL size and download time
$crlUrl = "http://crl.example.com/ca.crl"
Measure-Command {
    Invoke-WebRequest -Uri $crlUrl -UseBasicParsing
}

Common Causes:

• ❌ Very large CRL files (10+ MB)
• ❌ Slow OCSP responder
• ❌ Network latency to revocation services
• ❌ Many certificates validated simultaneously

Resolution:

1. ⏱️ Phase 10: Configure RevocationTimeoutSeconds to prevent hanging
2. Use Windows revocation cache to minimize repeated queries
3. Consider certificate cleanup to reduce validation load
4. Contact CA about slow OCSP responders

Issue 4: Expired CRL Not Detected

Symptoms:

• CRL "Next Update" time has passed
• No alert generated for stale CRL
• Revocation checks continue using expired CRL

Current Limitation:

• Phase 3 does not detect expired CRLs
• Windows may continue using cached expired CRL

Phase 10 Resolution:

• AlertOnExpiredCRL=true will detect and alert
• CRLMaxAgeDays threshold for freshness warnings
• Display CRL "Next Update" time in certificate details

Best Practices

Revocation Checking Strategy

• ✅ Enable revocation checking for all production certificates from public CAs
• ✅ Skip revocation for self-signed and internal CA certificates (when appropriate)
• ✅ Monitor OCSP/CRL availability to detect service outages early
• ✅ Configure firewall rules allowing outbound access to revocation endpoints
• ✅ Test revocation checking during certificate deployment
• ✅ Use OCSP stapling in IIS/web servers to improve performance
• ❌ Do NOT disable revocation globally unless absolutely necessary

Configuration Recommendations

Performance Optimization

• ✅ Use OCSP over CRL when possible (faster, smaller)
• ✅ Enable Windows CRL caching to reduce repeated downloads
• ✅ Monitor CRL size - large CRLs (50+ MB) impact performance
• ✅ Consider OCSP stapling in web servers
• ⏱️ Phase 10: Configure timeouts to prevent hanging on slow services

Security Compliance

• ✅ Audit certificates with SkipRevocationCheck=true quarterly
• ✅ Document justification for revocation check overrides
• ✅ Monitor for certificates in Revoked state
• ✅ Investigate RevocationStatusUnknown warnings promptly
• ⏱️ Phase 10: Enable AlertOnDisabledRevocation for compliance validation

Next Steps

• FAQ: Revocation Testing - Create test certificates with various revocation states
• Chain Validation - Comprehensive chain validation including revocation checking
• Certificate Configuration - Configure revocation checking and overrides

Related Topics

• Certificate Overview
• Certificate Monitoring
• Certificate Remote Actions
• Windows Server Monitoring Agent