Skip to main content

Certificate Is Revoked

Rahul
  • Updated
    Name in API: tlscert_revoked
    Severity: High
    Factor: Network Security

    Summary

    The `tlscert_revoked` issue means the TLS certificate used by the endpoint has been revoked by the Certificate Authority (CA). This indicates potential compromise, expiration, or misconfiguration. Revoked certificates are untrusted, causing security risks like MITM attacks and service disruptions. Replacing the certificate ensures secure, compliant encrypted communication.

    How Does It Work?

    When a TLS certificate is revoked, the issuing Certificate Authority (CA) marks it as invalid. The server checks the certificate's revocation status using mechanisms like CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol). If revoked, the certificate cannot be trusted, and secure connections fail.

    Why Is It a Risk?

    1. Loss of Trust – Revoked certificates are no longer valid, making encrypted connections unreliable.
    2. Man-in-the-Middle (MITM) Attacks – Attackers could exploit a revoked certificate to intercept sensitive data.
    3. Service Disruptions – Browsers and applications may block access to the endpoint, causing downtime.
    4. Compliance Violations – Security frameworks (PCI DSS, NIST) mandate valid certificates for secure communication.
    5. Potential Compromise – Certificates may be revoked due to exposure, unauthorized use, or security breaches.

    Replacing the revoked certificate ensures security, trust, and compliance.

    Self Evaluation

    You may validate the presence/absence of the expired certificate on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However, when comparing results, ensure that the endpoint scanned by each is the same information and matches the SecurityScorecard finding.

    Oscp Check

    openssl ocsp -issuer issuer_cert.pem -cert server_cert.pem -url http://ocsp.server.com

    Replace issuer_cert.pem with the issuer's certificate and server_cert.pem with the server's certificate.

    Sslscan

    sslscan --revoked example.com
    Starting SSLScan 1.11.3 (https://github.com/rbsec/sslscan) ...

    OpenSSL 1.1.1 11 Sep 2018

    TLSv1.0: Supported
    TLSv1.1: Supported
    TLSv1.2: Supported
    TLSv1.3: Supported

    Certificate:
    Issuer: Example CA
    Subject: example.com
    Expiry: 2025-01-01
    Revocation Status: Revoked
    OCSP URL: http://ocsp.example.com
    CRL URL: http://example.com/crl.pem
    Serial Number: 1234567890
    SHA1 Fingerprint: 12:34:56:78:90:AB:CD:EF:GH:IJ:KL:MN:OP:QR:ST

    Cipher Suites Supported:
    TLS_AES_128_GCM_SHA256
    TLS_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    Testtls

    https://testtls.com/

    How to mitigate

    1. Monitor Certificate Status: Use monitoring services to track certificate status, and regularly check for revocations via OCSP or CRL to ensure certificates are still valid.

    2. Choose a Trusted CA and Automate Renewals: Select a reliable certificate authority (CA), automate certificate renewals, and ensure timely replacement to avoid expiration or revocation issues.

    3. Implement OCSP Stapling: Enable OCSP stapling on your server to allow clients to check the certificate’s revocation status during the TLS handshake, improving both security and performance.

    4. Have a Contingency Plan: Prepare an incident response plan to quickly replace revoked certificates and notify affected parties in case of an issue.

    5. Use Strong Key Management and Backup: Secure your private keys, rotate them regularly, and keep secure backups to prevent delays or vulnerabilities if a certificate is revoked.

    Remediation

    1. The endpoint configuration has changed, the certificate used on the endpoint now has the revocation controls mentioned above in place.                                                                                    => Select the finding and then click on the "Fixed" button, "technical_remediation".

    2. The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
      => Select the finding and then click on the "Fixed" button, "technical_remediation".

    3. After verification (using the methods above, for example), the endpoint defined in the finding does have a certificate updated and is contrary to what SecurityScorecard is stating.
      => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue, and I think it’s incorrect," "false_positive."

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.