- 11 minutes to read

Certificate Revocation Monitoring

Tags: Certificate revocation, CRL, OCSP, RevocationStatusUnknown, OfflineRevocation, Revoked certificates, CRL freshness, OCSP responder health, revocation timeout, SkipRevocationCheck

Monitor certificate revocation status to detect revoked certificates, offline revocation services, and expired Certificate Revocation Lists (CRLs) to ensure certificate trust validation remains current and secure.

Phase 3 Feature - Enhanced chain validation includes revocation checking via CRL and OCSP protocols.

For configuration options, see Certificate Configuration - Revocation Monitoring.

Overview

Revocation monitoring validates that certificates have not been revoked by their issuing Certificate Authority, protecting against:

  • Revoked Certificates - Certificates compromised or no longer trusted
  • Unknown Revocation Status - Unable to verify revocation (CRL/OCSP unavailable)
  • Offline Revocation Services - Network or service connectivity issues
  • Expired CRLs - Stale revocation information requiring update
  • Revocation Timeouts - Slow or unresponsive revocation services

What Is Certificate Revocation?

Certificate revocation is the process of invalidating a certificate before its expiration date. Certificates are revoked when:

  • Private Key Compromised - Certificate's private key has been stolen or exposed
  • CA Compromise - Issuing CA has been compromised or no longer trusted
  • Certificate Superseded - Certificate replaced (renewal, rekey, or configuration change)
  • Cessation of Operation - Service or organization no longer operates
  • Affiliation Changed - Certificate holder's organizational affiliation changed
  • Certificate Misuse - Certificate used for unauthorized purposes

Revocation Checking Methods

Method Protocol Performance Reliability Best For
CRL (Certificate Revocation List) HTTP Slower (downloads entire list) High availability Legacy systems, offline validation
OCSP (Online Certificate Status Protocol) HTTP Faster (single cert query) Real-time status Modern systems, online validation

Windows Behavior: Windows certificate validation checks both CRL and OCSP endpoints if available, preferring OCSP for better performance.

Revocation Monitoring Features

Phase 3 (Current Implementation)

Certificate revocation checking is integrated with chain validation and detects three critical revocation states:

Detection Severity Description
Revoked ERROR Certificate has been revoked by issuing CA
RevocationStatusUnknown WARNING Cannot determine revocation status (CRL/OCSP unavailable)
OfflineRevocation WARNING Revocation service is offline or unreachable

Per-Certificate Override: SkipRevocationCheck

Individual certificates can be configured to skip revocation checking:

Use Cases:

  • Self-signed certificates (no revocation infrastructure)
  • Internal CA certificates (offline revocation services by design)
  • Development/testing certificates
  • Certificates with known unavailable CRL/OCSP endpoints

Configuration: Set SkipRevocationCheck = true on individual certificate resources in Nodinite

Impact: Certificate will not generate RevocationStatusUnknown or OfflineRevocation warnings, but still detects Revoked status if revocation data is available.

Phase 10 Enhancements (Planned)

Advanced revocation monitoring capabilities planned for future release:

Enhancement Capability Benefit
CRL Freshness Display CRL issue date, next update time, age Detect stale CRL data requiring refresh
Expired CRL Detection Alert when CRL has passed "Next Update" time Ensure revocation data remains current
OCSP Responder Health Monitor OCSP endpoint availability and latency Detect revocation service degradation
Response Time Tracking Measure CRL/OCSP response times Identify performance issues
Timeout Configuration Configurable timeout thresholds for revocation checks Prevent hanging on slow services
Disabled Revocation Warning Alert when revocation checking is disabled globally Security compliance validation
Revocation Cache Visibility Display cached revocation status and freshness Transparency into Windows revocation cache

Revocation Error States

Revoked (ERROR)

Description: Certificate has been explicitly revoked by the issuing Certificate Authority.

Severity: ERROR - Certificate is no longer trusted

Common Causes:

  • Private key compromised or suspected compromise
  • Certificate replaced (superseded) before expiration
  • Certificate issued incorrectly or fraudulently
  • Organization requested revocation

Detection Method:

  • Windows certificate validation queries CRL/OCSP
  • CA publishes revocation status in CRL or OCSP responder
  • Revocation status propagated through Windows certificate cache

Recommended Actions:

  1. Immediate Replacement: Replace revoked certificate immediately
  2. Investigate Cause: Determine why certificate was revoked
  3. Review Security: If compromise suspected, audit for unauthorized access
  4. Update Applications: Ensure all applications use replacement certificate
  5. Remove Revoked Certificate: Delete from certificate stores after replacement

Example Display:

Certificate State: ❌ ERROR
Chain Validation: FAILED

Revocation Status: ❌ Revoked
  Certificate has been revoked by issuing CA
  Revocation Date: 2025-11-10 08:30:00 UTC
  Revocation Reason: Superseded
  
Priority Actions:
1. Replace certificate immediately
2. Verify replacement certificate installed correctly
3. Update IIS bindings, application configurations
4. Remove revoked certificate from stores

RevocationStatusUnknown (WARNING)

Description: Windows cannot determine whether the certificate has been revoked because CRL or OCSP services are unavailable.

Severity: WARNING - Revocation status cannot be verified

Common Causes:

  • CRL distribution point URL unreachable (network issue)
  • OCSP responder endpoint offline or slow
  • Firewall blocking outbound HTTP/HTTPS to revocation services
  • Certificate lacks CRL/OCSP extension (no revocation infrastructure)
  • Proxy configuration preventing revocation checks

Detection Method:

  • Windows attempts CRL download or OCSP query
  • Both methods fail or timeout
  • Certificate validation continues with unknown revocation status

Recommended Actions:

  1. Check Network Connectivity: Verify outbound HTTP/HTTPS access
  2. Test CRL URL: Manually download CRL from distribution point
  3. Test OCSP Responder: Query OCSP endpoint with certutil -url
  4. Review Firewall Rules: Ensure revocation endpoints not blocked
  5. Verify Proxy Settings: Check Windows proxy configuration
  6. Consider Override: Set SkipRevocationCheck=true if revocation unavailable by design

Example Display:

Certificate State: ⚠️ WARNING
Chain Validation: PASSED (with warnings)

Revocation Status: ❓ Unknown
  Cannot determine revocation status
  CRL URL: http://crl.example.com/ca.crl (unreachable)
  OCSP URL: http://ocsp.example.com (unreachable)
  
Troubleshooting Steps:
1. Test CRL download: curl http://crl.example.com/ca.crl
2. Test OCSP query: certutil -url "certificate.cer"
3. Check firewall rules for outbound HTTP/HTTPS
4. If revocation checking not required, set SkipRevocationCheck=true

OfflineRevocation (WARNING)

Description: Revocation service (CRL or OCSP) is temporarily offline or experiencing connectivity issues.

Severity: WARNING - Revocation service unavailable

Common Causes:

  • CRL distribution point server down or unreachable
  • OCSP responder service outage
  • Network connectivity issue between server and revocation service
  • DNS resolution failure for revocation endpoints
  • Revocation service undergoing maintenance

Difference from RevocationStatusUnknown:

  • OfflineRevocation: Service exists but is temporarily unreachable (transient issue)
  • RevocationStatusUnknown: Cannot determine status for any reason (may be permanent)

Recommended Actions:

  1. Check Service Status: Verify CRL/OCSP endpoint availability
  2. Test from Different Location: Confirm issue is not local network
  3. Review DNS Resolution: Ensure revocation endpoint resolves correctly
  4. Contact CA: Report service outage to Certificate Authority
  5. Monitor for Recovery: Check if issue resolves automatically
  6. Temporary Override: Consider SkipRevocationCheck=true during outage

Example Display:

Certificate State: ⚠️ WARNING
Chain Validation: PASSED (with warnings)

Revocation Status: 🔌 Offline
  Revocation service is offline
  CRL URL: http://crl.example.com/ca.crl (HTTP 503 Service Unavailable)
  OCSP URL: http://ocsp.example.com (Connection timeout)
  Last Successful Check: 2025-11-15 14:22:00 UTC
  
Troubleshooting Steps:
1. Verify endpoint availability: curl -I http://crl.example.com/ca.crl
2. Check DNS resolution: nslookup crl.example.com
3. Test from external network to isolate issue
4. Contact CA support if service outage persists

Configuration

Global Revocation Settings

Configure revocation checking behavior for all certificates:

Setting Default Description
ValidateRevocation true Enable/disable global revocation checking (CRL/OCSP)
AllowUnknownRevocationStatus true Continue validation when revocation status cannot be determined
RevocationTimeoutSeconds 15 ⏱️ Phase 10 - Timeout for CRL/OCSP queries (seconds)
AlertOnDisabledRevocation false ⏱️ Phase 10 - Warn when revocation checking is globally disabled

Per-Certificate Overrides

Configure individual certificates to skip revocation checking:

Setting Default Description
SkipRevocationCheck false Skip revocation checking for this specific certificate

When to Use SkipRevocationCheck:

  • ✅ Self-signed certificates (no revocation infrastructure)
  • ✅ Internal CA with offline CRL/OCSP (by design)
  • ✅ Development/testing certificates
  • ✅ Certificates with known unavailable endpoints
  • ❌ Production certificates from public CAs (should always check)

Phase 10 Configuration (Planned)

Advanced revocation monitoring settings planned for future release:

Setting Default Description
EnableCRLFreshnessCheck true Alert when CRL is stale or expired
CRLMaxAgeDays 7 Maximum CRL age before warning
EnableOCSPHealthMonitoring true Monitor OCSP responder availability and latency
OCSPResponseTimeThresholdMs 2000 Warning threshold for OCSP response time
DisplayCRLDetails true Show CRL issue date, next update, validity period
DisplayOCSPResponderInfo true Show OCSP responder URL, response time, health
AlertOnExpiredCRL true Generate ERROR when CRL has passed "Next Update" time

Revocation Checking Workflow

Understanding how Windows validates certificate revocation:

graph TD Start([Certificate Validation]) --> CheckEnabled{Revocation<br/>Enabled?} CheckEnabled -->|No| Skip[Skip Revocation<br/>✅ OK] CheckEnabled -->|Yes| CheckOverride{Certificate Has<br/>SkipRevocationCheck?} CheckOverride -->|Yes| Skip CheckOverride -->|No| CheckExtensions{Certificate Has<br/>CRL/OCSP Extensions?} CheckExtensions -->|No| NoExtensions[No Revocation Info<br/>⚠️ WARNING] CheckExtensions -->|Yes| TryOCSP[Query OCSP<br/>Responder] TryOCSP --> OCSPResult{OCSP<br/>Success?} OCSPResult -->|Yes - Not Revoked| Valid[✅ Valid] OCSPResult -->|Yes - Revoked| Revoked[❌ Revoked<br/>ERROR] OCSPResult -->|No/Timeout| TryCRL[Download CRL] TryCRL --> CRLResult{CRL<br/>Success?} CRLResult -->|Yes - Not Revoked| Valid CRLResult -->|Yes - Revoked| Revoked CRLResult -->|No| Offline[⚠️ OfflineRevocation<br/>WARNING] NoExtensions --> End([Validation Complete]) Skip --> End Valid --> End Revoked --> End Offline --> End style Start fill:#e3f2fd style Valid fill:#c8e6c9 style Revoked fill:#ffcdd2 style Offline fill:#ffe0b2 style NoExtensions fill:#ffe0b2 style Skip fill:#f5f5f5 style End fill:#e3f2fd

Revocation Checking Steps

  1. Check Global Setting: Is ValidateRevocation=true?
  2. Check Certificate Override: Does certificate have SkipRevocationCheck=true?
  3. Check Extensions: Does certificate have CRL Distribution Point or OCSP extensions?
  4. Try OCSP First: Query OCSP responder (faster, real-time)
  5. Fallback to CRL: If OCSP fails, download and parse CRL
  6. Determine State:
    • Valid (OK): Not revoked
    • Revoked (ERROR): Certificate explicitly revoked
    • Offline/Unknown (WARNING): Cannot verify status

Revocation Status Display

Certificate details page shows comprehensive revocation information:

Current Implementation (Phase 3) 

Chain Validation: PASSED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Revocation Status: ✅ Not Revoked
  Last Checked: 2025-11-17 10:15:00 UTC
  Method: OCSP
  
CRL Distribution Points:
  • http://crl.example.com/intermediate-ca.crl
  
OCSP Responders:
  • http://ocsp.example.com

Phase 10 Enhanced Display (Planned) 

Chain Validation: PASSED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Revocation Status: ✅ Not Revoked
  Last Checked: 2025-11-17 10:15:00 UTC
  Method: OCSP (1,234 ms response time)
  Next Check: 2025-11-17 11:15:00 UTC
  
CRL Information:
  Distribution Point: http://crl.example.com/intermediate-ca.crl
  This Update: 2025-11-15 00:00:00 UTC
  Next Update: 2025-11-22 00:00:00 UTC
  CRL Age: 2 days (✅ Fresh)
  CRL Size: 45 KB (1,234 revoked certificates)
  
OCSP Responder Health:
  Endpoint: http://ocsp.example.com
  Status: ✅ Online
  Response Time: 1,234 ms (✅ Good)
  Last Successful Query: 2025-11-17 10:15:00 UTC
  Availability (24h): 99.8%

Troubleshooting Revocation Issues

Issue 1: RevocationStatusUnknown on All Certificates

Symptoms:

  • All certificates show RevocationStatusUnknown warning
  • Certificates from multiple CAs affected

Diagnosis:

# Test outbound connectivity to CRL endpoint
$crlUrl = "http://crl.example.com/ca.crl"
Invoke-WebRequest -Uri $crlUrl -UseBasicParsing

# Test OCSP responder
certutil -url "C:\path\to\certificate.cer"

# Check Windows proxy settings
netsh winhttp show proxy

Common Causes:

  • ❌ Firewall blocking outbound HTTP/HTTPS
  • ❌ Proxy misconfiguration
  • ❌ DNS resolution failure
  • ❌ Network connectivity issue

Resolution:

  1. Verify outbound HTTP/HTTPS access to revocation endpoints
  2. Configure Windows proxy if required: netsh winhttp set proxy proxy-server:port
  3. Add firewall rules allowing outbound access
  4. Test connectivity from monitoring agent server

Issue 2: OfflineRevocation for Specific CA

Symptoms:

  • Certificates from specific CA show OfflineRevocation
  • Other CA certificates work correctly

Diagnosis:

# Check CRL URL accessibility
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*CN=example*" }
$cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq "CRL Distribution Points" }

# Download CRL manually
$crlUrl = "http://crl.example.com/ca.crl"
Invoke-WebRequest -Uri $crlUrl -OutFile "test-crl.crl"

# Parse CRL
certutil -dump "test-crl.crl"

Common Causes:

  • ❌ CA's CRL distribution point server offline
  • ❌ OCSP responder service down
  • ❌ CA undergoing maintenance

Resolution:

  1. Contact CA support to report service outage
  2. Check CA's status page for known issues
  3. Temporarily set SkipRevocationCheck=true on affected certificates
  4. Monitor for service recovery

Issue 3: Performance Degradation from Revocation Checks

Symptoms:

  • Certificate validation takes 10+ seconds
  • Monitoring agent polling intervals delayed
  • Timeouts in application certificate validation

Diagnosis:

# Measure OCSP response time
Measure-Command {
    certutil -url "C:\path\to\certificate.cer"
}

# Check CRL size and download time
$crlUrl = "http://crl.example.com/ca.crl"
Measure-Command {
    Invoke-WebRequest -Uri $crlUrl -UseBasicParsing
}

Common Causes:

  • ❌ Very large CRL files (10+ MB)
  • ❌ Slow OCSP responder
  • ❌ Network latency to revocation services
  • ❌ Many certificates validated simultaneously

Resolution:

  1. ⏱️ Phase 10: Configure RevocationTimeoutSeconds to prevent hanging
  2. Use Windows revocation cache to minimize repeated queries
  3. Consider certificate cleanup to reduce validation load
  4. Contact CA about slow OCSP responders

Issue 4: Expired CRL Not Detected

Symptoms:

  • CRL "Next Update" time has passed
  • No alert generated for stale CRL
  • Revocation checks continue using expired CRL

Current Limitation:

  • Phase 3 does not detect expired CRLs
  • Windows may continue using cached expired CRL

Phase 10 Resolution:

  • AlertOnExpiredCRL=true will detect and alert
  • CRLMaxAgeDays threshold for freshness warnings
  • Display CRL "Next Update" time in certificate details

Best Practices

Revocation Checking Strategy

  • Enable revocation checking for all production certificates from public CAs
  • Skip revocation for self-signed and internal CA certificates (when appropriate)
  • Monitor OCSP/CRL availability to detect service outages early
  • Configure firewall rules allowing outbound access to revocation endpoints
  • Test revocation checking during certificate deployment
  • Use OCSP stapling in IIS/web servers to improve performance
  • Do NOT disable revocation globally unless absolutely necessary

Configuration Recommendations

Environment ValidateRevocation SkipRevocationCheck Rationale
Production (Public CAs) true false Full revocation validation required
Production (Internal CAs) true true (per-cert) Skip for certs with offline CRL
Development/Testing true true (per-cert) Skip for self-signed certs
Air-Gapped Environments false N/A No internet access to revocation services

Performance Optimization

  • ✅ Use OCSP over CRL when possible (faster, smaller)
  • ✅ Enable Windows CRL caching to reduce repeated downloads
  • ✅ Monitor CRL size - large CRLs (50+ MB) impact performance
  • ✅ Consider OCSP stapling in web servers
  • ⏱️ Phase 10: Configure timeouts to prevent hanging on slow services

Security Compliance

  • ✅ Audit certificates with SkipRevocationCheck=true quarterly
  • ✅ Document justification for revocation check overrides
  • ✅ Monitor for certificates in Revoked state
  • ✅ Investigate RevocationStatusUnknown warnings promptly
  • ⏱️ Phase 10: Enable AlertOnDisabledRevocation for compliance validation

Next Steps