What does revocation mean?
Revocation is the process that makes a certificate invalid. Revoked certificates are listed in the Certificate Revocation List (CRL), and the CRL is published by the CA as per the corresponding CP/CPS (Certificate Policies CP/Certificate Practice Statements).
When an encryption certificate is revoked, it is extremely important that you store the corresponding private key. You will still need this key to decrypt data that was encrypted using the old (revoked) certificate. When a signing certificate is revoked, you can safely delete the private key, because you can no longer use it to create valid signatures.
Are revoked certificates deleted from the CRL after a certain amount of time?
No, revoked certificates or certificates declared invalid also remain on the Certificate Revocation List (CRL) after the expiry date indicated in the certificate. The reason is that for the validation of the signature it is important to know when a certificate was revoked.
Can I test a certificate and will I receive reimbursement if the certificate is revoked?
Basically the end customer or partner has no entitlement to reimbursement or credit according to the general terms and conditions. In all cases it is therefore always a concession on the part of SwissSign.
However we have seen that customers are very satisfied with their SwissSign certificates and currently act according to the following goodwill regulations: within 30 days of issue, every customer has the choice of a refund or a 100% voucher at the amount of the purchased and revoked (withdrawn) certificate.
After 30 days the customer receives a voucher for the remaining period of validity of the certificate in question in the event of revocation.
Of course, this does not affect the warranty obligation of SwissSign regarding advice and the issuing of certificates.
Revocation, Invalidity – what should I do?
Reasons for revoking a certificate or declaring it invalid:
- The user has forgotten their password for their private key.
- The key material has been corrupted.
- The information in the certificate is no longer up-to-date (e.g. e-mail or leaving the organization).
Both the certificate holder and also the CA can revoke a certificate. If a certificate must be revoked or is incorrect and that is not yours, please report it to SwissSign using the contact page so that SwissSign can initiate a revocation. With e-mail certificates with organization entry the corresponding organization can also request the revocation. CA/SwissSign puts revoked certificates (serial number) on the corresponding Certificate Revocation List (CRL) which is publicly accessible and referenced in all SwissSign certificates.
You can revoke SwissSign certificates in three ways:
- Online revocation: possible when you have requested the certificate via a technical user account on www.swisssign.net.
- Online revocation: also possible when you still have your private key or the revocation code. Please open the swisssign.net page and enter in the „Licence“ field your license number for the certificate you received at the time of purchase. You do not need to login. The certificate is displayed. You can now revoke the certificate with the revocation code from the approval mail by click on the button „Revoke“.
- Offline revocation: for this you have the offline revocation form (PDF, 57 KB) available.
Terms and revocation
Technical terms and contract terms
A certificate includes a specific period of validity (technical term). For the Managed PKI service, this is independent of the commercial contract term (performance period). During the performance period, certificates can thus be issued with a validity which goes well beyond the end of the performance period. The contract is unlimited in duration and may be terminated subject to a notice period of three months to the end of the one-year service period.
Revocation and re-issue
A certificate revocation (withdrawal) followed by a subsequent re-issue (e.g. employee change) only constitutes the acquisition of a single certificate.
Revocation – contract termination
At the end of the contract, those certificates which are still valid are withdrawn – either by you yourself or our Support team. Please contact us in this regard by sending an e-mail to firstname.lastname@example.org or calling +41 848 77 66 55.
Who can revoke the certificate? Company or only the person to which the certificate belongs?
Revocation of 5-year SSL certificates
Since 1 April 2015, CAs have no longer been able to issue 5-year SSL certificates. If, after this period, the customer uses certificate licences which were purchased before, we are obliged to withdraw these licences. Affected customers can have their certificate reimbursed by us or receive a 3-year certificate and a voucher to purchase another certificate. Please contact our support team here.