My SSL Certificate Has Been Revoked - How To Fix It

SSL Certificate revocation occurs when a Certificate Authority (CA) permanently invalidates an SSL Certificate before its scheduled expiry date. Once revoked, the SSL Certificate can no longer be used to secure your website and web browsers will display security warnings to visitors.

Understanding why revocation happens and what steps to take afterwards will help you restore your website security as quickly as possible.

Why SSL Certificates Are Revoked

Certificate Authorities (CAs) revoke SSL Certificates when the security integrity of the SSL Certificate or the website it protects has been compromised. Revocation is a protective measure designed to prevent continued misuse of compromised credentials.

The following are common reasons why a Certificate Authority (CA) may revoke an SSL Certificate.

Private Key Compromise

If your Private Key has been exposed, distributed on the internet, or accessed by unauthorized parties, the Certificate Authority (CA) will revoke the associated SSL Certificate immediately.

A compromised Private Key allows anyone in possession of it to impersonate your website or decrypt traffic intended for your server. This represents a serious security breach that cannot be remedied while the SSL Certificate remains active.

Private Key compromise can occur through server breaches, accidental publication in code repositories, sharing via unencrypted channels, or theft by malicious actors. Learn About Private Key Security 🔗

Website Security Breach

If your website or server has been hacked or breached, the Certificate Authority (CA) may revoke your SSL Certificate as part of the incident response.

A compromised server means that attackers may have gained access to your Private Key or other sensitive cryptographic material. Even if the Private Key itself was not directly targeted, a breach indicates that the security environment can no longer be trusted.

Domain Control Issues

If you no longer control the domain name for which the SSL Certificate was issued, or if the domain ownership has changed, the Certificate Authority (CA) will revoke the SSL Certificate.

SSL Certificates are issued based on proof of domain control. If that control is lost or transferred, the SSL Certificate is no longer valid for the current domain owner to use.

Fraudulent Issuance

If an SSL Certificate was obtained through fraudulent means, misrepresentation, or by providing false information during the validation process, the Certificate Authority (CA) will revoke it upon discovery.

Subscriber Agreement Violation

When you purchase an SSL Certificate, you agree to the terms and conditions set by the Certificate Authority (CA). These include maintaining the security of your Private Key, protecting your server environment, and notifying the Certificate Authority (CA) of any suspected compromise.

Failure to comply with these obligations can result in revocation. The subscriber agreement exists to protect the integrity of the entire SSL Certificate ecosystem and maintain trust for all internet users.

What Happens When Your SSL Certificate Is Revoked

When a Certificate Authority (CA) revokes your SSL Certificate, the revocation is published to Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) responders.

Web browsers check these sources when connecting to websites. If your SSL Certificate appears as revoked, visitors will see security warnings indicating that the connection is not secure.

Your website will effectively be inaccessible to visitors who trust their browser's security warnings, resulting in lost traffic, damaged reputation, and potential loss of business.

Restoring Your Website Security

The steps required to restore your website security after revocation depend on the reason for the revocation and whether the underlying security issue has been resolved.

When Reissuance May Be Possible

If your SSL Certificate was revoked due to a minor issue that has been corrected, or if you reported a potential compromise proactively, you may be able to reissue your SSL Certificate through the tracking system at no additional cost.

Reissuance generates a completely new SSL Certificate with a new key pair, replacing the compromised credentials with fresh ones.

Access the tracking system to check if reissuance is available for your SSL Certificate. Your Certificate Authority (CA) Reference number is required to access the tracking system. Learn About The Trustico® Tracking System 🔗

When a New Purchase Is Required

Depending on the nature of the incident that resulted in revocation, a new paid SSL Certificate order may be required. Revocation does not automatically entitle you to a free replacement.

The subscriber agreement places a contractual obligation on you to maintain the security of your server environment, protect your Private Key, and ensure your website is not compromised. When these obligations are not met, the Certificate Authority (CA) incurs costs associated with the revocation process, security investigations, and maintaining the integrity of the SSL Certificate ecosystem.

Circumstances that typically require a new purchase include serious security breaches where the server environment was compromised, negligent handling of Private Keys, repeated security incidents, or violation of the subscriber agreement terms.

If you are unsure whether your situation qualifies for reissuance or requires a new purchase, attempt to access the tracking system first. If reissuance is not available, you will need to place a new order.

View the available SSL Certificate options to secure your website. Trustico® offers a range of SSL Certificates to suit different requirements and budgets.

Preventing Future Revocation

Taking proactive steps to protect your server environment and cryptographic credentials will help prevent future revocation incidents.

Generate your Private Key directly on your server rather than using external tools or services whenever possible. This ensures your Private Key never leaves the secure environment where it will be used.

Restrict access to your Private Key files using appropriate file permissions. Only the web server process and authorized administrators should have access.

Never share your Private Key via e-mail, store it in publicly accessible locations, or commit it to version control repositories.

Keep your server software, operating system, and all applications up to date with security patches. Many breaches occur through known vulnerabilities that have available fixes.

Monitor your server for signs of compromise and respond immediately to any security incidents. Proactively reporting a suspected compromise to the Certificate Authority (CA) demonstrates good faith and may affect how your situation is handled.

Understanding Certificate Revocation Lists

Certificate Revocation Lists (CRL) are published lists of revoked SSL Certificates maintained by Certificate Authorities (CAs). Web browsers and other applications check these lists to determine whether an SSL Certificate should be trusted.

Online Certificate Status Protocol (OCSP) provides a more efficient method of checking revocation status by querying the Certificate Authority (CA) directly for the status of a specific SSL Certificate.

Modern browsers use a combination of these methods to verify SSL Certificate validity. Some browsers also use proprietary mechanisms such as CRLSets to provide faster revocation checking. Learn About Certificate Revocation 🔗