Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Certificate Revocation

Certificates have pre-defined lifetimes, lasting from a couple of weeks to several years. If a private key of an end entity is compromised or the right to authenticate with a certificate is lost before the expiration date, the CA must revoke the certificate and inform all PKI users about this. Certificate revocation lists can be used for this purpose.

A certificate revocation list (CRL) is a list identifying the revoked certificates and it is signed by the CA that originally issued the certificates. Each CA publishes CRLs on a regular basis. The publishing interval may vary from a couple of minutes to several hours, depending on the security policy of the CA. Verification of a certificate has to include the retrieval of the latest CRL to check that the certificate has not been revoked.

As the certificate revocation lists are updated on a periodic basis, they do not provide real-time status information. If stricter security is required, online certificate status services can be used. In Online Certificate Status Protocol (OCSP), a dedicated OCSP responder entity responds to status requests made by end entities. This kind of function is required for example in a PKI where high-value business transactions are digitally signed.

Simplified certificate structure

Figure 6.2. Simplified certificate structure

As shown in Figure 6.2, the identity information is stored in the certificate itself. With public keys only, the identity of the owning entity must instead be derived from the context that the public key is used in—for example, if it is associated with a specific user account on the server machine, or an IP address of a server in a client program.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now