Certificate revocation

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include:

• Compromise, or suspected compromise, of the certificate subject's private key.
• Compromise, or suspected compromise, of a certification authority's private key.
• Discovery that a certificate was obtained fraudulently.
• Change in the status of the certificate subject as a trusted entity.
• Change in the name of the certificate subject.

A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials. This creates a need to distribute certificate revocation information to individuals, computers, and applications attempting to verify the validity of certificates. The need for revocation information and its timeliness will vary, according to the application and its implementation of certificate revocation checking.

To effectively support certificate revocation, the client must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Certificate Services supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs in several locations for clients to access, including the Active Directory directory service, Web servers, and network file shares.

CRLs are complete, digitally-signed lists of unexpired certificates that have been revoked. This list is retrieved by clients who can then cache it (based on the configured lifetime of the CRL) and use it to verify certificates presented for use. Because CRLs can get large, depending on the size of the certification authority, delta CRLs can also be published. Delta CRLs contain only the certificates revoked since the last base CRL was published. This allows clients to retrieve the smaller delta CRL and quickly build a complete list of revoked certificates. The use of delta CRLs also allows more frequent publishing, because the size of the delta CRL usually does not require as much overhead as a full CRL.

For conceptual information about using certificate revocation in Certificate Services, see Revoking certificates and publishing CRLs. For procedures to manage certificate revocation, see Manage Certificate Revocation.