Certificate revocation

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include:

• Compromise, or suspected compromise, of the certificate subject's private key.
• Discovery that a certificate was obtained fraudulently.
• Change in the status of the certificate subject as a trusted entity.

A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials. This creates a need to distribute certificate revocation information to individuals, computers, and applications attempting to verify the validity of certificates. The need for revocation information and its timeliness will vary, according to the application and its implementation of certificate revocation checking.

To support a variety of operational scenarios, Certificate Services incorporates support of industry-standard certificate revocation lists (CRLs) to distribute information about revoked certificates. Windows 2000 certification authorities (CAs) support certificate revocation and publication of the CRL to Active Directory. Clients can fetch the CRL from a CA and then keep it in a local cache to use when verifying certificates issued by that CA. This same mechanism supports CRLs published by commercial CAs, or other certificate services products, provided the published CRLs are accessible to clients via the network.

For conceptual information about using certificate revocation in Certificate Services, see Revoking certificates and publishing CRLs. For procedures to manage certificate revocation, see Manage Certificate Revocation.