Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Certificate Revocation

Certificates have pre-defined lifetimes, lasting from a couple of weeks to several years. If a private key of an end entity is compromised or the right to authenticate with a certificate is lost before the expiration date, the CA must revoke the certificate and inform all PKI users about this. Certificate revocation lists can be used for this purpose.

A certificate revocation list (CRL) is a list identifying the revoked certificates and it is signed by the CA that originally issued the certificates. Each CA publishes CRLs on a regular basis. The publishing interval may vary from a couple of minutes to several hours, depending on the security policy of the CA. Verification of a certificate has to include the retrieval of the latest CRL to check that the certificate has not been revoked.

As the certificate revocation lists are updated on a periodic basis, they do not provide real-time status information. If stricter security is required, online certificate status services can be used. In Online Certificate Status Protocol (OCSP), a dedicated OCSP responder entity responds to status requests made by end entities. This kind of function is required for example in a PKI where high-value business transactions are digitally signed.

Simplified certificate structure

Figure 6.2. Simplified certificate structure

As shown in Figure 6.2, the identity information is stored in the certificate itself. With public keys only, the identity of the owning entity must instead be derived from the context that the public key is used in—for example, if it is associated with a specific user account on the server machine, or an IP address of a server in a client program.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more