Skip to main content
Troubleshooting

Revoked certificates

What revocation means, why it happens, and how to respond when CertShield flags a revoked certificate.

A revoked certificate is one that the issuing Certificate Authority has explicitly declared invalid before its natural expiry date. Browsers and other TLS clients will refuse to connect to any server still serving it, often with a scary red error page.

This is always urgent. Drop what you’re doing.

How CertShield detects revocation

CertShield checks revocation status via the standard mechanisms published by Certificate Authorities — OCSP and CRL — and also watches for revocation entries in public Certificate Transparency log streams. When any of those indicate a certificate you’re monitoring has been revoked, we mark the certificate and any endpoint currently serving it as Revoked and fire an alert.

Why certificates get revoked

A certificate is typically revoked for one of these reasons:

  • The private key was compromised. Someone suspects (or confirmed) that the private key leaked, so the CA is killing the certificate so attackers can’t use it for impersonation.
  • The CA made a mistake issuing it. Occasionally a CA discovers that a certificate it issued was issued incorrectly (wrong hostname validation, policy violation, etc.) and revokes it themselves. This happens, and sometimes in big waves — a single CA mistake can revoke thousands of certs at once.
  • The cert was superseded and the owner requested revocation. Less common, because the old cert is about to expire anyway.
  • Regulatory or CA policy change. Rare but does happen.

What to do right now

  1. Don’t wait for it to expire naturally. A revoked cert is immediately unusable in most browsers. Your users are already seeing errors.
  2. Rotate to a new certificate. Issue a new cert from your CA, install it on the endpoint, and verify browsers can connect.
  3. If the revocation reason is “key compromise” and the private key was shared across multiple servers, rotate all of them. Any one leaked key invalidates every use of it.
  4. Update CertShield. Click Check Now on the endpoint after you deploy the new cert to get the freshest probe. CertShield will automatically re-evaluate and flip the endpoint back to healthy.

If you didn’t request the revocation

Two possibilities:

  1. The CA revoked it as part of a wider incident. Check the CA’s status page for an announcement. This has happened a few times industry-wide in recent years — a CA discovers a policy violation, notifies the community, and mass-revokes affected certs. You’ll have to reissue anyway.
  2. Someone on your team or your hosting provider requested it. Check internally. Most revocations are intentional but undocumented.

Either way, the fix is the same: reissue and deploy a new certificate.

Why this is different from “expired”

An expired certificate hit its natural “not after” date. Predictable, schedulable, boring. CertShield alerts you well before this happens.

A revoked certificate is an unscheduled emergency — the CA has pulled the plug unilaterally, often with zero notice. You get whatever time is left until your OCSP/CRL caches in browsers refresh (minutes to hours) before every user is affected. There’s no way to plan around it; you find out when CertShield tells you.

What’s next

← Back to Help Center Contact support