Short timelines require quick response. In this guide, we will describe the triggers and revocation timelines, as well as why automation is essential to maintain regulatory compliance and trust.
TLS Revocation: Triggers and Timelines
Occasionally, events occur that require certificate authorities (CA) to revoke and replace TLS certificates. A trigger occurs when a certificate that can no longer be trusted to provide secure connections must be revoked to protect users; an example would be a widespread industry vulnerability like Heartbleed. Regulatory compliance issues are another possible trigger for revocation, either with the TLS certificate or with the certificate authority itself.
Upon revocation, the CA must follow industry standards described in section 4.9.1.1 of the TLS Base Requirements: Reasons for Revoking a Subscriber Certificate . Los Requisitos Base definen las circunstancias y los plazos de revocación: en algunos casos, la revocación de los certificados debe realizarse en un plazo de 24 horas, mientras que en otros se permite hasta cinco días. Las CA están obligadas a cumplir estos plazos, independientemente de si se trata de una revocación masiva o de un solo certificado.
As a result of these industry requirements for revocation and replacement, publicly trusted TLS server certificates should not be used in systems that cannot tolerate timely revocation.
Causes of 24-Hour Revocation
TLS Base Requirements specify that 24-hour revocation is required when:
- The site owner requests it;
- The certificate was issued without proper authorization;
- The secret security key is stolen, compromised, or easily decrypted; or
- The CA can no longer confirm control of the owner's domain.
Causes of 5-Day Revocation
TLS Base Requirements also specify a separate set of reasons to determine when revocation must be performed within five days, including a variety of compliance issues with the certificate or the CA itself.
Examples include:
- Misuse or fraudulent use of the certificate
- Incorrect certificate information
- Incorrect certificate issuance
- Failures in security keys that make them weak or vulnerable
CA Planning for Revocation Events
Recent changes to Mozilla's Root Store Policy require CAs to communicate more frequently with subscribers about revocation timelines, as well as CAs' obligations to meet them.
The updated Mozilla policies they also require that CAs formalize their incident planning for certificate revocation, particularly to plan and test in advance their procedures for mass revocation events, incorporating findings into continuous improvement of the CAs' certificate revocation and replacement capabilities. These mass revocation plans must be subject to an annual external audit.
CAs must also publicly report security incidents on Bugzilla, following the guidelines established by the Common CA Database (CCADB) , which supports coordination among the various root store programs.
These guidelines require CAs to report a detailed schedule of investigation and management of problematic certificates, including a complete inventory of affected certificates and their revocation cycle. Reports are subject to community scrutiny to ensure compliance.
The Importance of TLS Automation
Organizations can take proactive measures to respond effectively if such an event occurs. While this preparation cannot eliminate all disruptions resulting from a revocation, it facilitates compliance with required timelines.
Being proactive also has a positive long-term effect, as it facilitates daily management of the TLS certificate lifecycle and helps you prepare for upcoming industry changes. For example, according to TLS Base Requirements, the maximum validity period of TLS certificates will soon be reduced: first from 398 days to 200 days, then to 100 days, and finally to just 47 days. These changes will require organizations to develop the agility needed to replace certificates more frequently and quickly.
The keys to protecting your organization against revocation events are:
Ensure that your systems can process certificate revocation and replacements quickly and without disruption.
Periodically review your certificate inventory to know how many certificates you have and where you are using them.
- Implement automated certificate lifecycle processes to enable rapid response and preparation.