What does revocation mean?
Revocation is a process that declares certificates invalid. Revoked certificates are listed on Certificate Revocation Lists’ (CRLs). CRLs are published periodically by the CA. Certificate revocation is also shown (directly after being blocked) via the Online Certificate Status Protocol (OCSP). CRLs and OCSP are publicly available, but only the revoked certificate’s serial number is published.
When an encryption certificate is revoked, it’s very important that you keep the private key. You will still need it to decrypt data you encrypted using this old or revoked certificate. When a signature certificate is revoked, you can delete the private key, as you will no longer be able to use it for a valid digital signature.
Are revoked certificates deleted from the CRL after a certain amount of time?
This depends on the type of certificate:
- Revoked SSL/TLS and email certificates are deleted from the Certificate Revocation List (CRL) once the standard period of validity has expired.
- Revoked certificates for signing documents stay on the CRL even after the expiry date specified on the certificate. For signature validation, it’s important to know whether or not the certificate was valid at the time of signing.
Can I test a certificate and will I receive reimbursement if the certificate is revoked?
Essentially, the end customer or partner does not have a claim to any refund or credit in accordance with the GTC. So it’s always a question of goodwill on the part of SwissSign.
We currently follow the goodwill rules below:
- Within 30 days of issue, each customer can choose to receive a refund or a voucher for 100% of the certificate value that has been obtained and revoked.
- After 30 days, the customer will receive a voucher for the remaining term of the certificate concerned if the certificate is revoked.
- Of course, this does not apply to SwissSign’s guarantee obligation with respect to advice and issuing certificates.
Revocation, Invalidity – what should I do?
The reasons to revoke a certificate, i.e. to declare it invalid include:
- The user has forgotten the password for the private key.
- The key material has been corrupted (see also the section ‘Reporting a key compromise’).
- The information in the certificate is no longer up to date (e.g. email or leaving the organisation).
Both the certificate holder and the CA can revoke a certificate. For email certificates with a company entry, the relevant organisation can also apply for revocation.
There are three different ways to revoke a SwissSign certificate:
- Online revocation: this is an option if you requested the certificate via a technical user account on swisssign.net.
- Online revocation: you can revoke certificates online at swisssign.net, provided you still have the private key or the revocation code. The code can be found in the approval email for this certificate. Please go to swisssign.net and without logging in, enter in the ‘Licence:’ search field the certificate licence number you received when you purchased the certificate. The certificate will then be shown. Then click the button ‘Declare invalid’ to revoke the certificate using the revocation code in the approval email.
- Offline revocation: the offline revocation form (PDF, 57 KB) is available for offline revocation.
Terms and revocation
Technical terms and contractual terms
A certificate has a specific validity period (technical term). For the Managed PKI service, this is independent of the commercial contractual term (service period). Certificates can therefore be issued during the service period whose validity extends well beyond the end of the service period. The contract is open-ended and can be terminated at the end of the one-year service period with notice of three months.
Revocation with re-issue
Certificate revocation and subsequent re-issue (e.g. change of employee) is considered to be a single certificate.
Revocation – contract termination
At the end of the contract, any certificates that are still valid will be withdrawn, either by you or by our support team. To do this, please contact: firstname.lastname@example.org or call +41 848 77 66 55.
Who can revoke the certificate? Company or only the person to which the certificate belongs?
Either of these.
Reporting a key compromise
If a key compromise is discovered, it is important for the certificate to be revoked immediately or for the key compromise to be reported to SwissSign.
If it is one of your own certificates:
- Shop: if the certificate was ordered in the shop, please follow the instructions above.
- MPKI: for an MPKI, you can block the corresponding certificate yourself using your MPKI access
If it is somebody else’s certificate, please follow the steps below.
- If possible, please notify the certificate holder.
- Send us an email containing the points below to email@example.com:
1) The email must have the following subject: ‘Key compromise SwissSign certificate’
2) The email must contain the following elements in the body (not as an attachment):
a) The certificate concerned (base64/PEM encoded)
b) The Certificate Signing Request (CSR) signed with the private key concerned containing the Common Name (CN) ‘Key compromise SwissSign certificate’ (base64/PEM encoded; all other CSR fields can have any value)
c) Details of the applicant in addition to the email address, if applicable