CRL and OCSP — Certificate Revocation

Certificate revocation is the process of invalidating a digital certificate before its natural expiration date. Certificates are issued by Certificate Authorities (CAs) to bind a public key to an entity (user, server, device). However, circumstances can arise where a certificate should no longer be trusted: the private key is compromised (e.g., stolen, leaked), the certificate was issued incorrectly (e.g., to the wrong domain), or the entity is no longer authorized (e.g., employee left the company). Without revocation, an attacker could use a compromised certificate to impersonate a legitimate server, sign malicious code, or decrypt communications. Revocation ensures that relying parties (browsers, email clients, VPNs) can detect and reject such certificates.

When a CA revokes a certificate, it publishes the revocation information so that relying parties can check it. There are two primary methods: CRLs and OCSP.

#### CRL (Certificate Revocation List)

- Definition: A CRL is a time-stamped list published by a CA that contains serial numbers of revoked certificates, the date of revocation, and optionally the reason for revocation (e.g., keyCompromise, cessationOfOperation). - Process: 1. A certificate holder or administrator reports a compromise to the CA, or the CA revokes for policy violations. 2. The CA updates its internal database and generates a new CRL. 3. The CRL is published to a distribution point (CRL Distribution Point, or CDP) specified in the certificate's CRL Distribution Points extension. 4. Relying parties (e.g., a web browser) download the CRL, cache it, and check the serial number of the certificate they are validating against the list. 5. If the serial number appears, the certificate is considered invalid. - CRL Formats: Defined in RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile). CRLs are signed by the CA to prevent tampering. - CRL Types: - Full CRL: Contains all revoked certificates. Can become large. - Delta CRL: Contains only changes since the last full CRL. Reduces download size. - Freshest CRL: An extension pointing to delta CRLs. - Limitations: - Latency: CRLs are updated periodically (e.g., every 24 hours). A certificate revoked after the last CRL issuance will still be considered valid until the next CRL is downloaded. - Size: Full CRLs can be megabytes, causing bandwidth and processing overhead. - Availability: If the CDP is unreachable, the relying party may accept the certificate (depending on policy).

#### OCSP (Online Certificate Status Protocol)

- Definition: OCSP is a protocol that allows a relying party to query a responder (OCSP responder) for the real-time status of a specific certificate. - Process: 1. The client (e.g., browser) sends an OCSP request containing the certificate's serial number and issuer information. 2. The OCSP responder checks its database (usually the CA's revocation database) and returns a signed response: good, revoked, or unknown. 3. The response includes a thisUpdate and nextUpdate time, allowing the client to cache the result for a short period. - Protocol Details: Defined in RFC 6960. Uses HTTP (port 80) or HTTPS (port 443) for transport. The request is typically a GET or POST with base64-encoded DER data. - Advantages: - Real-time: Provides current status, reducing the window of vulnerability. - Efficient: Only queries for a single certificate, minimizing bandwidth. - Limitations: - Availability: If the OCSP responder is unreachable, the client may fail open (accept the certificate) or fail closed (reject), depending on configuration. Most browsers fail open (soft-fail) to avoid breaking HTTPS. - Privacy: The OCSP responder learns which certificates a client is validating, potentially tracking browsing habits. OCSP stapling mitigates this. - Performance: Each query adds latency.

#### OCSP Stapling

- Definition: OCSP stapling (formally, TLS Certificate Status Request extension, RFC 6066) allows the server to send a time-stamped OCSP response along with its certificate during the TLS handshake. - How It Works: 1. The server periodically fetches an OCSP response from the CA's responder. 2. During the TLS handshake, the server includes (staples) this response in the CertificateStatus message. 3. The client verifies the stapled response instead of making its own OCSP request. - Benefits:

openssl crl -in crl.pem -text -noout

openssl ocsp -issuer ca.pem -cert cert.pem -url http://ocsp.example.com -text

curl -O http://crl.example.com/crl.crl

echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep -A 20 'OCSP response'

openssl x509 -in cert.pem -text -noout | grep -A 2 'CRL Distribution Points'

CRL and OCSP are the two main mechanisms for checking certificate revocation. CRL is a batch list downloaded periodically; OCSP is a real-time query. OCSP stapling improves performance and privacy. The exam tests your understanding of when to use each, their limitations, and how attackers exploit gaps. Remember: CRL is offline, OCSP is online; CRL has latency, OCSP has availability concerns; OCSP stapling fixes both latency and privacy.

Scenario 1: Compromised Private Key in an Enterprise PKI A company uses internal certificates for VPN authentication. An employee's laptop is stolen, and the private key for their VPN certificate is considered compromised. The IT administrator revokes the certificate via the internal CA. The CA publishes a new CRL and updates the OCSP responder. However, the VPN gateway (a Cisco ASA) is configured to use CRL checking with a 24-hour cache. For the next 24 hours, the attacker could potentially use the stolen certificate to connect to the VPN because the gateway has not yet downloaded the latest CRL. The correct response: configure the VPN gateway to use OCSP with a short cache (e.g., 5 minutes) or use OCSP stapling on the client side. A common mistake: assuming that revocation is instantaneous. In reality, the window of vulnerability depends on the CRL update interval or OCSP response caching. The analyst should monitor logs for failed authentication attempts using the revoked certificate during this window.

Scenario 2: OCSP Responder DDoS Leading to Soft-Fail A major e-commerce site uses OCSP to validate customer certificates. An attacker launches a DDoS attack against the CA's OCSP responder, making it unreachable. Browsers attempting to connect to the site send OCSP requests that time out. Because most browsers are configured with soft-fail (accept certificate if OCSP is unavailable), they proceed with the connection, even if the certificate is actually revoked. The attacker could have previously compromised a certificate and now uses it during the DDoS window. The correct response: implement OCSP stapling with must-staple extension on the server side. This way, the server provides a fresh OCSP response during the TLS handshake, and the client does not need to contact the responder. The must-staple extension forces the client to reject the certificate if no stapled response is provided. A common mistake: assuming that enabling OCSP alone is sufficient; without must-staple, soft-fail can be exploited.

Scenario 3: CRL Size Overwhelming Small Devices An IoT deployment uses certificates for device authentication. The CA issues thousands of certificates, and the CRL grows to several megabytes. IoT devices with limited memory and bandwidth struggle to download and parse the full CRL every update cycle. This leads to devices either failing to validate certificates (rejecting valid ones) or skipping revocation checks entirely (security risk). The correct response: use delta CRLs to reduce download size, or switch to OCSP (which queries only one certificate). Alternatively, use OCSP stapling with the server providing the status. A common mistake: deploying CRLs without considering device constraints. The analyst should monitor CRL download times and device memory usage.