Skip to content

Certificate Revocation

Certificate Revocation List

  • Certificates can be revoked using a Certificate Revocation List (CRL)
  • Online Certificate Status Protocol (OCSP) is not supported

CRL publication

CRLs are published to external S3 bucket, not directly accessible from public Internet

To publish publicly, set public_crl to true and provide hosted_zone_id and hosted_zone_name in Terraform variables.

Applying Terraform will result in:

  • CRLs published to a public URL via CloudFront
  • CA certificates published to a public URL via CloudFront
  • CRL Distribution Point (CDP) extension added to certificates
  • Authority Information Access (AIA) extension added to certificates

CRL location

CRL locations are detailed in CA Cert Locations

Enable certificate revocation

CRLs are always published, however the ability to revoke a certificate needs to be enabled. If you followed the Getting Started guide, you'll already have done this:

  • add a subdirectory to your repository with the same name as the value of the Terraform variable env, e.g. dev, prd add files and subdirectory following the rsa-public-crl example
  • change the value of Terraform variable cert_info_files to ["tls", "revoked", "revoked-root-ca"]
  • apply Terraform

Revoking a certificate

  • identify serial number by inspecting the certificate, or looking up in DynamoDB table
  • add details of certificate to be revoked to the revoked.json list for relevant environment, e.g. certs/dev/revoked.json
[
  {
    "common_name" : "test-tls-cert.example.com",
    "serial_number": "400591262296335747457420220526770623344507066427"
  }
]
  • run the pipeline
  • wait up to 24 hours, or manually execute the CA Step Function
  • the revoked certificate can be viewed within the CRL:

Revoked certificate

CRL publication frequency

If required, the default CRL publication frequency of once per day can be changed, as described in Configuration Options

CRL lifetime

If required, the default CRL lifetime of 1 day plus a 600 seconds overlap period can be changed, as described in Configuration Options