Revoked SSL Certificates: Can They Be Reinstated?

TL;DR

Generally, a revoked SSL/TLS certificate cannot be directly re-instated. Once revoked, it’s permanently invalid. However, you can request a new certificate from your Certificate Authority (CA) to replace the revoked one. The process depends on why the certificate was revoked.

Understanding Certificate Revocation

SSL/TLS certificates are revoked for several reasons:

• Compromised Private Key: If your private key is stolen or exposed, the CA will revoke the certificate to prevent misuse.
• Incorrect Information: Errors in the certificate details (domain name, organisation name) can lead to revocation.
• Change of Ownership/Details: If your company changes its name or ownership, the existing certificate is no longer valid.
• Operational Issues: Problems with the CA’s infrastructure might necessitate a revocation and re-issue.

Revocation ensures that browsers and other clients stop trusting the compromised certificate.

Steps to Replace a Revoked Certificate

1. Identify the Reason for Revocation: Check your email from the CA or log into their portal. Knowing the reason is crucial for getting a new certificate quickly.
2. Generate a New Certificate Signing Request (CSR): You’ll need to create a new CSR on your server. The process varies depending on your web server software:
   • Apache: Use

     openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

   • Nginx: Typically, you’ll use the nginx -t command to test configuration and then restart Nginx after CSR generation. The specific commands depend on how Nginx is set up.
   • IIS (Windows): Use the IIS Manager tool to create a new CSR request.
3. Submit the CSR to Your CA: Log into your CA’s portal and follow their instructions for submitting a new certificate request. You will usually need to provide details about your domain, organisation, and contact information.
4. Validation Process: The CA will validate your ownership of the domain (e.g., via email, DNS record check). This process is similar to obtaining the original certificate.
5. Install the New Certificate: Once validated, download the new certificate from the CA’s portal and install it on your server. Again, the installation steps depend on your web server software:
   • Apache: Update your virtual host configuration file with the paths to the new certificate and private key.
   • Nginx: Update your Nginx configuration file (usually in /etc/nginx/sites-available/) with the new certificate and key paths, then reload Nginx using

     sudo nginx -s reload

     .

   • IIS (Windows): Use the IIS Manager tool to import the new certificate.
6. Test Your New Certificate: Verify that your new certificate is installed correctly and trusted by browsers. You can use online SSL checker tools like SSL Shopper or DigiCert SSL Installation Checker.

Can You Appeal a Revocation?

In rare cases, if you believe the revocation was issued in error, you can contact your CA to appeal. You’ll need to provide evidence supporting your claim. However, appeals are not always successful.

Preventing Future Revocations

• Secure Your Private Key: Protect your private key with strong passwords and access controls.
• Keep Information Up-to-Date: Ensure that the information in your certificate request is accurate and current.
• Monitor Certificate Expiry Dates: Renew certificates before they expire to avoid unexpected issues.