Certificate Revoked Error Explained

A revoked certificate is one that the Certificate Authority has declared invalid before its scheduled expiry date. Once revoked, the CA adds the certificate's serial number to its Certificate Revocation List (CRL) and OCSP records. Browsers that check revocation status will refuse to trust the certificate.

Reasons for Revocation

RFC 5280 defines eight reason codes for certificate revocation:

• keyCompromise: The certificate's private key has been stolen or exposed
• cACompromise: The issuing CA's key was compromised
• affiliationChanged: The certificate holder's relationship to the organization changed
• superseded: The certificate was replaced by a new one
• cessationOfOperation: The domain or service is no longer operational
• certificateHold: Temporary hold (rarely used)
• removeFromCRL: Used to rescind a hold
• privilegeWithdrawn / aACompromise: Used in attribute certificate contexts

How Browsers Check Revocation

Browsers use two mechanisms:

• OCSP: Real-time query to the CA's OCSP responder for the specific certificate's status
• CRL: Download of the CA's full revocation list
• CRLite / OneCRL: Firefox's compiled, locally-cached revocation data for efficient offline checking

In practice, Chrome uses OCSP Must-Staple as its preferred mechanism and relies on CRLSets (periodic downloads of important revocations) rather than checking every certificate's OCSP in real time.

What to Do If Your Certificate Was Revoked

1. Determine the reason — check your CA's portal or contact their support
2. If the key was compromised, generate a new key pair immediately (do not reuse the compromised key)
3. Request a new certificate from your CA using the new key pair
4. Deploy the new certificate to all servers
5. Investigate how the key was compromised to prevent recurrence