Scribd
Upload
30 views4 pages

Revoke x.509 Certificate

The document explains the process of obtaining and revoking X.509 digital certificates, detailing how users can verify certificates using the public keys of Certification Authorities (CAs) and the importance of securely exchanging these keys. It outlines the conditions under which a certificate may be revoked, such as compromise of the user's private key or certificate, and describes the Certificate Revocation List (CRL) that CAs maintain. Additionally, it emphasizes the need for users to check the CRL to ensure the validity of a certificate before use.

Uploaded by

mohammedimamabbas007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views4 pages

Revoke x.509 Certificate

The document explains the process of obtaining and revoking X.509 digital certificates, detailing how users can verify certificates using the public keys of Certification Authorities (CAs) and the importance of securely exchanging these keys. It outlines the conditions under which a certificate may be revoked, such as compromise of the user's private key or certificate, and describes the Certificate Revocation List (CRL) that CAs maintain. Additionally, it emphasizes the need for users to check the CRL to ensure the validity of a certificate before use.

Uploaded by

mohammedimamabbas007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Obtaining & Revocation of Digital Certificate (X.

509 Certificate) | How to obtain digital certificate |


Why digital certificate is revoke?

Obtaining Digital Certificate (X.509 Certificate)

Any user can verify a certificate if he/she has the public key of the CA that issued the certificate.
Since certificates are unforgeable, they are simply stored in the directory. The directory entry for
each CA includes two types of certificates:

Forward certificates: Certificates of X generated by other CAs.

Reverse certificates: Certificates generated by X that are the certificates of other CAs.

Figure: Forward and Reverse Certificate

Users subscribed to same CA can obtain certificate from the directory. Suppose, A has obtained a
certificate from certification authority (CA) X1 and B has obtained a certificate from certification
authority (CA) X2. A user may directly send the certificate to the other user. If A does not know the
public key of X2, then B's certificate, issued by X2, is useless to A because A can read B's certificate,
but A cannot verify the signature. However, multiple CAs are there and users subscribed to different
CAs may want to communicate with each other. (This paragraph related to below figure)
Figure: Obtaining Digital Certificate

But if the two CAs have securely exchanged their own public keys, the following procedure will
enable A to obtain B's public key:

A obtains the certificate of X2 signed by X1 from the directory. A securely knows X1's public key, so A
can obtain X2's public key from its certificate and verify X1's signature on the certificate. A then
obtains the certificate of B signed by X2. A now has a copy of X2's public key, so A can verify the
signature and securely obtain B's public key. (This paragraph related to below figure). In this case, A
has used a chain of certificates to obtain B's public key. In the notation of X.509, this chain is
expressed as: X1<<X2>> X2 <<B>>

Figure: Chain of Certificate


Revocation of Digital Certificate (X.509 Certificate)

Certificate revocation is the act of invalidating a certificate before its scheduled expiration date.
Certificates that are revoked are stored on a list by the CA, called the Certificate Revocation List
(CRL). However, certificates need to be revoked if,

1. The user’s private key has been compromised.

2. The user’s certificate has been compromised.

3. The user is no longer certified by the CA.

The certificate revocation format is shown in the figure.

Each CA (Certificate Authority) must maintain a list consisting of all revoked but not expired
certificates issued by that CA, including both those issued to users and to other CAs. Each certificate
revocation list (CRL) posted to the directory is signed by the issuer and includes

1. The issuer’s name,

2. The date the list was created,

3. The date the next CRL is scheduled to be issued, and

4. An entry for each revoked certificate.

Every user must check the CRL before using other user’s public key.

Figure: Certificate Revocation Format


What happens when you revoke a certificate?

Ideally, browsers and other clients should be able to detect that the certificate is revoked in timely
manner, show the security warning, that certificate is no longer trusted, and prevent user from
further consuming such a website. See below this figure.

You might also like