Industry timeframes for certificate revocation
Time is crucial when a TLS certificate revocation is required. Industry standards define exactly how long certificate authorities have to respond, but sometimes the deadline is as little as 24 hours.
Short deadlines require a quick response. In this guide, we’ll outline the triggers and revocation timelines, as well as the reasons why automation is essential for maintaining regulatory compliance and trust.
TLS revocation: triggers and timelines
Occasionally, events occur that require certificate authorities (CAs) to revoke and replace TLS certificates. One such trigger is when a certificate that can no longer be trusted to provide secure connections must be revoked to protect users; an example would be a widespread industry vulnerability like Heartbleed. Regulatory compliance issues are another potential trigger for revocation, whether with the TLS certificate itself or with the certificate authority.
Upon revocation, the CA must follow the industry standards described in section 4.9.1.1 of the TLS Baseline Requirements: Reasons for Revoking a Subscriber Certificate. The Baseline Requirements define the circumstances and timeframes for revocation: in some cases, certificate revocation must be carried out within 24 hours, while in others, up to five days is permitted. CAs are obligated to comply with these timeframes, regardless of whether it is a bulk revocation or a single certificate revocation.
As a result of these industry requirements for revocation and replacement, publicly trusted TLS server certificates should not be used on systems that cannot tolerate timely revocation.
Reasons for 24-hour revocation
The basic TLS requirements specify that a 24-hour revocation is required when:
- The site owner requests it;
- The certificate was issued without proper authorization;
- The secret security key is stolen, compromised, or easily decrypted; or
- The CA can no longer confirm the owner’s control of the domain.
Reasons for revocation of 5 days
The basic TLS requirements also specify a separate set of reasons for determining when a revocation should occur within five days, including a variety of compliance issues with the certificate or the CA itself.
Examples include:
- Misuse or fraudulent use of the certificate
- Incorrect certificate information
- Incorrect certificate issuance
- Flaws in the security keys that make them weak or vulnerable
CA planning for revocation events
Recent changes to Mozilla’s Root Store Policy require Certificate Authorities (CAs) to communicate more frequently with subscribers regarding revocation deadlines and their obligations to meet them.
Mozilla’s updated policies also require CAs to formalize their incident planning for certificate revocation, specifically to plan and test their procedures for mass revocation events in advance, incorporating the findings into the continuous improvement of their certificate revocation and replacement capabilities. These mass revocation plans must undergo an annual external audit.
CAs must also publicly report security incidents on Bugzilla, following the guidelines established by the Common CA Database (CCADB), which supports coordination among the various root store programs.
These guidelines require CAs to report a detailed timeline for the investigation and management of problematic certificates, including a complete inventory of the affected certificates and their revocation cycle. The reports are subject to community scrutiny to ensure compliance.
The importance of TLS automation
Organizations can take proactive steps to respond effectively should such an event occur. While this preparation cannot eliminate all disruptions resulting from a revocation, it facilitates meeting required deadlines.
The keys to protecting your organization against revocation events are:
- Ensuring your systems can process certificate revocations and replacements quickly and without disruption.
- Regularly reviewing your certificate inventory to know how many certificates you have and where they are being used.
- Implementing automated certificate lifecycle processes to enable rapid response and readiness.