Certificate Revocation Guide
Overview
Certificate revocation is a critical security mechanism that allows administrators to invalidate certificates before their natural expiration date. This is essential when certificates are compromised, devices are lost or stolen, users leave the organization, or security policies change.
IronWifi provides comprehensive certificate revocation capabilities through Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP), ensuring that revoked certificates are immediately rejected during authentication attempts.
Why Certificate Revocation Matters
Security Incidents
- Lost or stolen devices must be immediately denied access
- Compromised private keys require instant invalidation
- Suspected security breaches need rapid response
- Unauthorized certificate usage must be prevented
Organizational Changes
- Employee terminations require access removal
- Role changes may necessitate new certificates
- Contractor access needs time-limited validity
- Department transfers require updated credentials
Compliance Requirements
- GDPR requires data access control
- HIPAA mandates immediate access revocation
- PCI-DSS requires certificate lifecycle management
- SOC 2 demands audit trails
Operational Needs
- Certificate replacement for upgrades
- Policy changes requiring new certificates
- Device refresh cycles
- Certificate format updates
Revocation Technologies
Certificate Revocation List (CRL)
How CRL Works
CRL Distribution Flow:
1. Certificate Authority maintains CRL
↓
2. CRL contains serial numbers of revoked certificates
↓
3. CRL signed by CA private key
↓
4. CRL published to distribution point
↓
5. RADIUS server downloads CRL periodically
↓
6. RADIUS checks client certificate against CRL
↓
7. If serial number found → Authentication rejected
↓
8. If not found → Authentication proceeds
CRL Structure
X.509 CRL Contents:
Header:
- Version
- Signature algorithm
- Issuer (CA name)
- This update (timestamp)
- Next update (expiration)
Revoked Certificates List:
- Serial number
- Revocation date
- Revocation reason (optional)
- Certificate extensions
Signature:
- CA signature
- Signature algorithm
Advantages
- Simple implementation
- Works offline (once downloaded)
- No additional infrastructure required
- Widely supported by all platforms
- Low computational overhead
Disadvantages
- Delayed revocation (update interval)
- Large file size with many certificates
- Bandwidth consumption for downloads
- Cache expiration delays
- Not real-time
Best Use Cases
- Stable environments with infrequent changes
- Offline or air-gapped networks
- Legacy systems requiring CRL
- Low-criticality applications
- Bandwidth-constrained environments
Online Certificate Status Protocol (OCSP)
How OCSP Works
OCSP Query Flow:
1. Client presents certificate to RADIUS
↓
2. RADIUS extracts certificate serial number
↓
3. RADIUS sends OCSP request to OCSP responder
↓
4. OCSP responder checks certificate status
↓
5. OCSP responder returns status:
- Good: Certificate valid
- Revoked: Certificate invalidated (reason, date)
- Unknown: Certificate not found
↓
6. RADIUS makes authentication decision
↓
7. If Good → Authentication proceeds
↓
8. If Revoked/Unknown → Authentication rejected
OCSP Request/Response
OCSP Request:
- Certificate serial number
- Issuer name hash
- Issuer key hash
- Request extensions (nonce, etc.)
OCSP Response:
- Certificate status (good/revoked/unknown)
- This update timestamp
- Next update timestamp
- Revocation time (if revoked)
- Revocation reason (if revoked)
- Response signature
Advantages
- Real-time revocation checking
- Immediate certificate invalidation
- Smaller message size than CRL
- Reduced bandwidth (single certificate check)
- Fresh status information
Disadvantages
- Requires network connectivity
- Additional infrastructure (OCSP responder)
- Latency for each authentication
- Single point of failure
- Privacy concerns (certificate queries tracked)
Best Use Cases
- High-security environments
- Rapid access revocation requirements
- Large certificate deployments
- Frequently changing access policies
- Compliance-driven organizations
OCSP Stapling
How OCSP Stapling Works
Stapling Flow:
1. Server obtains OCSP response for its certificate
↓
2. Server caches signed OCSP response
↓
3. During TLS handshake, server "staples" OCSP response
↓
4. Client receives certificate + OCSP response together
↓
5. Client validates OCSP response signature
↓
6. No separate OCSP query needed
↓
7. Improved performance and privacy
Advantages
- Eliminates client OCSP queries
- Improved performance (cached response)
- Enhanced privacy (no tracking)
- Reduced OCSP responder load
- Scalability
Limitations
- Only for server certificates (RADIUS)
- Not for client certificate checking
- Requires TLS 1.2+ support
- Implementation complexity
Comparison Matrix
Feature Comparison:
CRL OCSP OCSP Stapling
─────────────────────────────────────────────────────────
Real-time No Yes Yes*
Bandwidth High Low Minimal
Latency Low Medium Low
Offline Support Yes No No
Infrastructure Minimal Moderate Moderate
Scalability Good Fair Excellent
Privacy Good Poor Excellent
Implementation Simple Moderate Complex
* For server certificates only
Recommendation by Environment:
Enterprise (High Security):
- Primary: OCSP
- Fallback: CRL
- Server: OCSP Stapling
Small Business:
- Primary: CRL
- Optional: OCSP
High-Volume/Scale:
- Primary: OCSP with caching
- Server: OCSP Stapling
- Fallback: CRL
Air-Gapped/Offline:
- Primary: CRL
- Manual distribution
IronWifi Revocation Configuration
Enabling CRL
IronWifi Console Setup
Navigation: Account → PKI Infrastructure → Certificate Revocation
CRL Configuration:
├─ Enable CRL: ✓
├─ CRL Distribution Point: https://console.ironwifi.com/crl/[account-id].crl
├─ Update Interval: 1 hour (default)
├─ Publication: Automatic
└─ Signing: IronWifi CA
CRL Settings:
├─ Next Update: 24 hours
├─ Include Reason Codes: ✓
├─ Include Invalidity Date: ✓
└─ Base CRL only (no delta CRLs)
RADIUS Integration:
├─ CRL Checking: Enabled
├─ Cache Duration: 1 hour
├─ Automatic Updates: ✓
└─ Fallback Behavior: Reject if CRL unavailable
Certificate Configuration
Client Certificate Template:
Extensions:
├─ CRL Distribution Points:
│ └─ URI: https://console.ironwifi.com/crl/[account-id].crl
├─ Authority Information Access:
│ └─ CA Issuers: https://console.ironwifi.com/ca/[account-id].crt
└─ Certificate Policies: Optional
Issued Certificate Contains:
- CRL URL embedded in certificate
- Clients/RADIUS can retrieve CRL
- Automatic CRL location discovery
Enabling OCSP
IronWifi Console Setup
Navigation: Account → PKI Infrastructure → OCSP Configuration
OCSP Responder:
├─ Enable OCSP: ✓
├─ OCSP URL: http://ocsp.ironwifi.com
├─ Response Signing: IronWifi OCSP Certificate
├─ Response Validity: 24 hours
└─ Nonce Support: ✓ (replay protection)
Performance Settings:
├─ Response Caching: 5 minutes
├─ Max Simultaneous Requests: 1000
├─ Timeout: 5 seconds
└─ Retry: 2 attempts
Fallback Configuration:
├─ OCSP Unavailable: Check CRL
├─ CRL Unavailable: Reject authentication
└─ Both Unavailable: Emergency policy (configurable)
Certificate Configuration
Client Certificate Template:
Authority Information Access:
├─ OCSP URL: http://ocsp.ironwifi.com
├─ Embedded in issued certificates
└─ Automatic OCSP discovery
OCSP Response:
├─ Signed by dedicated OCSP certificate
├─ Includes certificate status
├─ Validity period: 24 hours
├─ Refresh: Real-time
└─ Cached for performance
RADIUS Server Configuration
CRL Configuration on RADIUS
FreeRADIUS Configuration:
eap {
tls-config tls-common {
# CRL checking
check_crl = yes
# CRL file location
ca_path = /etc/raddb/certs/crl
# CRL update interval
crl_reload_interval = 3600
# Behavior if CRL unavailable
check_crl_strict = yes
}
}
CRL Download:
- Automatic download from distribution point
- Scheduled updates every hour
- Fallback to cached CRL if download fails
- Alert on CRL expiration
OCSP Configuration on RADIUS
FreeRADIUS Configuration:
eap {
tls-config tls-common {
# OCSP checking
check_cert_cn = yes
ocsp {
enable = yes
override_cert_url = no
url = "http://ocsp.ironwifi.com"
use_nonce = yes
timeout = 5
softfail = yes # Continue if OCSP unavailable
}
}
}
OCSP Behavior:
- Check client certificate via OCSP
- Use URL from certificate (or override)
- Timeout after 5 seconds
- Cache responses for performance
- Soft fail: Allow if OCSP down (configurable)
Revocation Procedures
Manual Certificate Revocation
Single Certificate Revocation
IronWifi Console:
1. Navigate to Users → Certificate Management
2. Search for user or certificate serial number
3. Select certificate to revoke
4. Click "Revoke Certificate"
Revocation Dialog:
├─ Certificate: [Serial number, CN, expiry]
├─ User: [Email, name]
├─ Current Status: Valid
├─ Revocation Reason: [Dropdown]
│ ├─ Unspecified
│ ├─ Key Compromise
│ ├─ CA Compromise
│ ├─ Affiliation Changed
│ ├─ Superseded
│ ├─ Cessation of Operation
│ ├─ Certificate Hold
│ └─ Remove from CRL (undo hold)
├─ Effective Date: [Timestamp - default: now]
├─ Invalidation Date: [Optional - backdating]
└─ Notify User: ✓ [Email notification]
Confirmation:
- Review details
- Confirm revocation
- Immediate effect
Post-Revocation:
- Certificate added to CRL immediately
- OCSP status updated real-time
- User sessions terminated (optional)
- Email notification sent
- Audit log entry created
Bulk Revocation
Bulk Revocation Options:
By User Group:
1. Navigate to Groups → [Group Name]
2. Select "Revoke All Certificates"
3. Choose revocation reason
4. Confirm bulk action
5. Process: Background job (large groups)
By CSV Import:
1. Prepare CSV with serial numbers or emails
2. Navigate to Users → Certificate Management → Bulk Actions
3. Upload CSV file
4. Map columns (serial/email, reason)
5. Preview revocations
6. Execute bulk revocation
By Date Range:
1. Certificate Management → Advanced Search
2. Filter by issue date, expiry, or criteria
3. Select matching certificates
4. Bulk revoke action
5. Apply revocation reason
6. Confirm and execute
By Department/Location:
1. Filter by custom attributes
2. Select all matching
3. Bulk revoke
4. Automated notification
Automated Revocation
User Lifecycle Integration
Automatic Revocation Triggers:
User Account Disabled:
- Trigger: Account status → Disabled
- Action: Revoke all user certificates
- Reason: Cessation of Operation
- Notification: Email to user and admin
User Deleted:
- Trigger: User deletion from system
- Action: Immediate certificate revocation
- Reason: Affiliation Changed
- Cleanup: Archive user data
Group Membership Removed:
- Trigger: User removed from group
- Condition: If group requires certificate
- Action: Revoke group-specific certificate
- Reason: Affiliation Changed
Account Expiration:
- Trigger: User account expiry date reached
- Action: Auto-revoke certificates
- Reason: Cessation of Operation
- Grace Period: Optional (e.g., 7 days)
Integration-Based Revocation
Identity Provider Sync:
Azure AD / Google Workspace:
- Employee termination in Azure
- Webhook to IronWifi
- Automatic certificate revocation
- Reason: Affiliation Changed
- Timing: Within 5 minutes
SCIM Provisioning:
- User deactivation via SCIM
- IronWifi receives update
- Certificates revoked
- Sessions terminated
HR System Integration:
- Termination date in HR system
- Scheduled revocation
- Advance notice to IT
- Graceful offboarding
Security Event-Driven Revocation
Automated Security Responses:
Compromised Device Detection:
- MDM reports device compromised
- Trigger revocation workflow
- Reason: Key Compromise
- Immediate effect
Unusual Activity Detection:
- Anomalous connection patterns
- Automated or manual review
- Precautionary revocation
- Reason: Certificate Hold (reversible)
Policy Violation:
- Bandwidth abuse
- Security scan detection
- Automated suspension
- Certificate Hold pending review
Multiple Failed Authentications:
- Threshold: 10 failures in 10 minutes
- Temporary suspension
- Certificate Hold
- Admin notification for review
Revocation Verification
Testing Revocation
Verification Steps:
1. Revoke Test Certificate:
- Create test user
- Issue certificate
- Revoke certificate
- Note revocation time
2. Check CRL:
- Download current CRL
- Verify certificate serial present
- Check revocation reason
- Verify signature
3. Check OCSP:
- Query OCSP responder
- openssl ocsp -issuer ca.crt -cert client.crt \
-url http://ocsp.ironwifi.com -CAfile ca.crt
- Expected response: "Revoked"
- Verify revocation time and reason
4. Test Authentication:
- Attempt connection with revoked certificate
- Expected: Authentication failure
- RADIUS log: Certificate revoked
- Verify rejection message
5. Timing Verification:
- CRL update delay: Under 1 hour (default)
- OCSP response: Real-time (under 5 seconds)
- RADIUS cache: Clear cache to test immediately
Monitoring Revocation Status
Real-Time Monitoring:
Dashboard Metrics:
├─ Total Issued Certificates: 1,234
├─ Valid Certificates: 1,156
├─ Expired Certificates: 45
├─ Revoked Certificates: 33
│ ├─ Key Compromise: 5
│ ├─ Affiliation Changed: 18
│ ├─ Superseded: 7
│ └─ Other: 3
└─ Certificates on Hold: 2
Recent Revocations (24h):
- 2024-12-16 14:32: user1@company.com (Affiliation Changed)
- 2024-12-16 09:15: user2@company.com (Key Compromise)
- 2024-12-15 16:45: user3@company.com (Superseded)
Alerts:
- Certificate revoked: Immediate notification
- Bulk revocations: Summary notification
- Failed revocation: Admin alert
Certificate Hold and Reinstatement
Temporary Suspension
Certificate Hold Mechanism
Use Cases for Certificate Hold:
Investigation Period:
- Suspected compromise
- Policy violation under review
- Security incident investigation
- Pending verification
Temporary Leave:
- Employee sabbatical
- Extended medical leave
- Temporary suspension
- Reactivation expected
Grace Period:
- Payment pending
- Contract renewal in progress
- Paperwork processing
- Short-term suspension
How Hold Works:
- Certificate marked as "on hold" in CRL
- OCSP returns "Revoked" (reason: Certificate Hold)
- Authentication rejected
- Reversible: Can be removed from CRL
- Not permanently revoked
Placing Certificate on Hold
IronWifi Console:
1. Navigate to Certificate Management
2. Select certificate
3. Click "Suspend Certificate"
Suspension Dialog:
├─ Reason: Certificate Hold
├─ Hold Duration: [Days or indefinite]
├─ Auto-Release: [Optional date]
├─ Notify User: ✓
└─ Notes: [Internal notes]
Effect:
- Immediate authentication denial
- Added to CRL with Hold reason
- OCSP returns Revoked (Hold)
- User notification sent
- Reversible action
Removing Certificate from Hold
Reinstatement Process:
1. Navigate to Certificate Management
2. Filter: Status = On Hold
3. Select certificate(s)
4. Click "Remove Hold"
Reinstatement Dialog:
├─ Certificate: [Details]
├─ Hold Since: [Date]
├─ Hold Reason: [Original reason]
├─ Release Reason: [Required]
├─ Effective: [Immediately or scheduled]
└─ Notify User: ✓
Post-Reinstatement:
- Removed from CRL
- OCSP status: Good
- Authentication allowed
- User notification
- Audit trail updated
Note: Certificate Hold is the ONLY reversible revocation reason
Permanent Revocation
Irreversible Revocations
Permanent Revocation Reasons:
Key Compromise:
- Private key exposed
- Device stolen
- Security breach
- Requires new certificate
CA Compromise:
- Certificate Authority compromised
- All certificates potentially affected
- Mass reissuance required
Affiliation Changed:
- Employee terminated
- Contractor ended
- User role changed
- Organization departure
Superseded:
- Certificate replaced
- Upgraded certificate issued
- Old certificate invalid
Cessation of Operation:
- Service discontinued
- Device decommissioned
- Account closed
Unspecified:
- Generic revocation
- Reason not disclosed
Important:
- These revocations are PERMANENT
- Cannot be undone
- Certificate cannot be reinstated
- New certificate required for access
- Serial number remains in CRL indefinitely (or per retention policy)
Troubleshooting
Common Issues
CRL Download Failures
Symptoms:
- RADIUS logs show CRL retrieval errors
- Authentication timeouts
- All certificates rejected
Causes:
- Network connectivity issues
- Firewall blocking HTTP/HTTPS
- DNS resolution failures
- CRL distribution point unavailable
- Expired CRL
Diagnosis:
1. Test CRL URL manually:
wget https://console.ironwifi.com/crl/[account-id].crl
2. Check CRL validity:
openssl crl -in downloaded.crl -text -noout
3. Verify dates:
- This Update: Should be recent
- Next Update: Should be future
4. Check RADIUS logs:
grep "CRL" /var/log/radius/radius.log
Solutions:
- Verify network connectivity from RADIUS server
- Check firewall rules (allow outbound HTTP/HTTPS)
- Verify DNS resolution
- Increase CRL cache duration
- Enable CRL fallback behavior
- Contact IronWifi support if distribution point down
OCSP Responder Timeouts
Symptoms:
- Slow authentication
- Intermittent failures
- RADIUS logs show OCSP timeout errors
Causes:
- Network latency
- OCSP responder overloaded
- Firewall issues
- DNS problems
- Configuration errors
Diagnosis:
1. Test OCSP manually:
openssl ocsp -issuer ca.crt -cert client.crt \
-url http://ocsp.ironwifi.com -CAfile ca.crt
2. Measure response time:
time openssl ocsp ... (should be under 1 second)
3. Check connectivity:
ping ocsp.ironwifi.com
traceroute ocsp.ironwifi.com
4. Review RADIUS configuration:
- OCSP timeout setting
- Soft fail configuration
- Cache settings
Solutions:
- Increase OCSP timeout (default: 5s → 10s)
- Enable OCSP soft fail (allow if unavailable)
- Enable OCSP response caching
- Configure CRL as fallback
- Check network path to OCSP responder
- Verify firewall allows HTTP to ocsp.ironwifi.com
Revoked Certificates Still Authenticating
Symptoms:
- Certificate revoked but user still connects
- Delay in revocation enforcement
- Inconsistent behavior
Causes:
- CRL not updated on RADIUS server
- OCSP caching
- RADIUS certificate cache
- CRL/OCSP disabled
- Configuration error
Diagnosis:
1. Verify revocation in IronWifi:
- Check certificate status
- Confirm in revoked list
- Note revocation timestamp
2. Check CRL distribution:
- Download current CRL
- Verify serial number present
- Check "This Update" timestamp
3. Verify RADIUS CRL:
- Check RADIUS CRL cache
- Compare timestamps
- Force CRL reload
4. Test OCSP:
- Query certificate status
- Should return "Revoked"
Solutions:
- Force CRL update on RADIUS:
- Delete cached CRL
- Restart RADIUS service
- Or wait for next update interval
- Clear OCSP cache (if applicable)
- Verify RADIUS configuration:
- check_crl = yes
- OCSP enabled
- Reduce CRL update interval:
- Default: 1 hour → 15 minutes (if needed)
- For immediate effect:
- Use OCSP instead of CRL
- Reduce cache durations
- Enable real-time checking
Certificate Wrongly Revoked
Symptoms:
- Valid user cannot authenticate
- Certificate shows as revoked
- User claims no security incident
Causes:
- Accidental revocation
- Automated rule false positive
- Bulk revocation mistake
- Integration error
Diagnosis:
1. Check certificate status:
- IronWifi console
- Verify revocation details
- Review revocation reason
- Check who performed revocation
2. Review audit logs:
- Revocation timestamp
- Triggering event
- Admin action or automated
- Integration webhook logs
3. Verify user account:
- User status
- Group membership
- Account expiration
Solutions:
If Certificate On Hold (Temporary):
- Remove from hold (reversible)
- User can reconnect immediately
If Permanently Revoked:
- Cannot undo revocation
- Issue new certificate:
1. Generate new certificate for user
2. Send to user via email or portal
3. User installs new certificate
4. Old certificate remains revoked
- Review process to prevent recurrence:
- Adjust automated rules
- Update integration logic
- Train administrators
- Add approval workflows for bulk actions
Debugging Tools
OpenSSL Commands
Certificate Verification:
Check Certificate Details:
openssl x509 -in client.crt -text -noout
Verify Certificate Chain:
openssl verify -CAfile ca.crt -crl_check \
-CRLfile ca.crl client.crt
Check CRL:
openssl crl -in ca.crl -text -noout
OCSP Query:
openssl ocsp -issuer ca.crt -cert client.crt \
-url http://ocsp.ironwifi.com -CAfile ca.crt -resp_text
Expected OCSP Responses:
- Good: Certificate is valid
- Revoked: Certificate has been revoked (with reason)
- Unknown: Certificate not found
RADIUS Debugging
FreeRADIUS Debug Mode:
Stop RADIUS:
systemctl stop freeradius
Run in Debug Mode:
radiusd -X
Look for CRL/OCSP Output:
- CRL download messages
- CRL parsing
- Certificate chain validation
- OCSP queries and responses
- Revocation checking results
Test Single Authentication:
radtest username password localhost 0 testing123
Expected Debug Output (Revoked Cert):
- Certificate presented
- Serial number: XXXXX
- CRL check: Certificate found in CRL
- Revocation reason: Key Compromise
- Authentication: REJECTED
Network Diagnostics
Connectivity Tests:
Test CRL Download:
curl -I https://console.ironwifi.com/crl/[account-id].crl
wget --spider https://console.ironwifi.com/crl/[account-id].crl
Test OCSP Connectivity:
nc -vz ocsp.ironwifi.com 80
curl -I http://ocsp.ironwifi.com
DNS Resolution:
nslookup console.ironwifi.com
nslookup ocsp.ironwifi.com
Trace Route:
traceroute console.ironwifi.com
traceroute ocsp.ironwifi.com
Firewall Test:
tcpdump -i any host ocsp.ironwifi.com
Best Practices
Revocation Policy
Define Revocation Procedures
Revocation Policy Template:
Immediate Revocation (within 1 hour):
- Lost or stolen devices
- Suspected compromise
- Employee termination for cause
- Security incident
- Legal requirement
Scheduled Revocation (within 24 hours):
- Standard employee termination
- Contractor end date
- Planned device replacement
- Certificate upgrade
Grace Period Revocation (3-7 days):
- Employee departure with notice period
- Contractor rolling off
- Certificate expiration with renewal
- Voluntary resignation
Revocation Reasons Mapping:
- Termination → Affiliation Changed
- Device lost/stolen → Key Compromise
- Security incident → Key Compromise
- Certificate replacement → Superseded
- Service discontinued → Cessation of Operation
- Investigation → Certificate Hold (temporary)
Approval Workflows
Revocation Authorization:
Single Certificate:
- Help desk can revoke for lost device
- Manager approval for employee
- Security team for compromise
- Automated for account deletion
Bulk Revocation (over 10):
- Requires manager approval
- Security team notification
- Change control ticket
- Scheduled maintenance window
Emergency Revocation:
- Security team authority
- Immediate action
- Post-incident review
- Audit trail required
Reinstatement from Hold:
- Original revoker can release
- Manager approval required
- Security review for compromises
- Documented reason required
Monitoring and Alerting
Real-Time Alerts
Alert Configuration:
Critical Alerts (Immediate):
- Mass revocation (over 50 certificates)
- CA private key access attempt
- CRL distribution point failure
- OCSP responder down
- Unusual revocation pattern
Warning Alerts (Within 1 hour):
- Bulk revocation (10-50 certificates)
- CRL update failure
- OCSP timeout increase
- Revocation rate spike
Informational Alerts (Daily digest):
- Daily revocation summary
- Certificates expiring (30 days)
- Revocation reason distribution
- Top users by revocations
Alert Channels:
- Email: Security team, IT management
- SMS: For critical alerts
- Slack/Teams: Operations channel
- SIEM: Integration for correlation
- Ticketing: Automatic ticket creation
Regular Auditing
Audit Schedule:
Daily:
- Review revocation log
- Check CRL/OCSP availability
- Monitor revocation rate
- Verify automated revocations
Weekly:
- Analyze revocation reasons
- Review hold status certificates
- Check authentication failure patterns
- Validate integration synchronization
Monthly:
- Comprehensive revocation report
- Policy compliance review
- Process effectiveness evaluation
- Training needs assessment
Quarterly:
- Security audit
- Revocation procedure review
- Disaster recovery test
- Stakeholder reporting
Annual:
- Policy review and update
- Technology assessment
- Compliance certification
- Executive presentation
Certificate Lifecycle Management
Proactive Management
Lifecycle Automation:
Certificate Issuance:
- Automated provisioning
- Default validity: 1 year
- Renewal notifications: 30, 14, 7 days
- Auto-renewal option available
Certificate Renewal:
- Automated renewal process
- Overlap period: 7 days
- Old certificate auto-revoked after new issued
- Reason: Superseded
Certificate Expiration:
- Warning emails: 30, 14, 7 days before
- Automatic revocation on expiration
- Grace period: Optional 7 days
- User portal for self-renewal
Certificate Replacement:
- Device upgrade triggers new certificate
- Old certificate revoked (Superseded)
- Automated distribution
- Zero downtime transition
Certificate Hygiene
Maintenance Tasks:
Unused Certificates:
- Detection: No auth in 90 days
- Action: Review and revoke
- Notification: User and manager
- Cleanup: Reduce attack surface
Duplicate Certificates:
- Detection: Multiple certs per user
- Analysis: Check necessity
- Action: Revoke older/unnecessary
- User education: Proper usage
Over-Privileged Certificates:
- Review: User role vs. certificate group
- Detection: Access beyond role
- Action: Revoke and reissue
- Principle: Least privilege
Orphaned Certificates:
- Detection: User account deleted
- Certificate still valid
- Action: Immediate revocation
- Prevention: Automated cleanup
Security Hardening
CRL Security
CRL Protection:
Signing Key Security:
- CA private key in HSM
- Access controls strict
- Audit all key usage
- Regular key rotation (3-5 years)
Distribution Security:
- HTTPS for CRL distribution
- CRL signed by CA
- Signature verification mandatory
- Integrity checking
Update Frequency:
- Default: Every 1 hour
- High security: Every 15 minutes
- Balance: Security vs. bandwidth
- Emergency updates: On-demand
Backup and Redundancy:
- Multiple CRL distribution points
- Geographic redundancy
- CDN distribution for performance
- Fallback mechanisms
OCSP Security
OCSP Hardening:
OCSP Responder Security:
- Dedicated OCSP signing certificate
- Separate from CA certificate
- Limited privilege
- Short-lived responses (24h max)
Request Security:
- Nonce support (replay protection)
- Rate limiting
- DDoS protection
- Authentication (optional)
Response Security:
- Always signed
- Signature validation required
- Timestamp verification
- No caching of revoked responses
Infrastructure Security:
- Redundant OCSP responders
- Load balancing
- DDoS mitigation
- 99.9% SLA target
Access Controls
Revocation Permissions:
Role-Based Access:
Security Administrator:
- Revoke any certificate
- Bulk operations
- Emergency revocations
- Policy configuration
Certificate Administrator:
- Revoke within managed groups
- Individual revocations
- View all certificates
- Generate reports
Help Desk:
- Revoke for lost device (with verification)
- Suspend (Certificate Hold)
- Limited to assigned users
- Cannot bulk revoke
Manager:
- Revoke for direct reports
- Approve revocations
- View team certificates
- Request bulk operations
Audit Requirements:
- All revocations logged
- User, timestamp, reason
- IP address, session ID
- Approval chain recorded
- Immutable audit trail
Compliance and Reporting
Regulatory Requirements
GDPR Compliance
Right to Access:
- Users can view their certificates
- Revocation history available
- Export certificate data
- Self-service portal access
Right to Erasure:
- Certificate revocation
- Data retention limits
- Anonymization of logs
- Complete removal option
Data Protection:
- Private keys encrypted
- Certificate data secured
- Access controls enforced
- Breach notification (72h)
Audit Trail:
- Who revoked certificates
- When and why
- User notification logs
- Data access records
HIPAA Compliance
Access Control (§164.312(a)(1)):
- Unique user identification (certificate CN)
- Emergency access procedure (admin override)
- Automatic logoff (session timeout)
- Encryption and decryption (TLS)
Audit Controls (§164.312(b)):
- Certificate issuance logging
- Revocation tracking
- Authentication attempts
- Access to PHI systems
Integrity (§164.312(c)(1)):
- Certificate validation
- Non-repudiation (digital signatures)
- Data integrity checking
Transmission Security (§164.312(e)(1)):
- TLS encryption (EAP-TLS)
- Certificate-based authentication
- Secure key exchange
PCI-DSS Compliance
Requirement 8.2: Strong Authentication
- Two-factor: Certificate + device
- Unique credentials per user
- Immediate revocation capability
Requirement 10.2: Audit Trails
- User authentication events
- Certificate revocations
- Admin actions logged
- Protected audit logs
Requirement 11.4: Intrusion Detection
- Unusual revocation patterns
- Compromised certificate detection
- Alerting mechanisms
Requirement 12.3: Usage Policies
- Acceptable use policy
- Revocation procedures
- User responsibilities
- Certificate handling
Reporting
Standard Reports
Certificate Revocation Report:
Daily Summary:
- Revocations today: 5
- Reason breakdown:
- Affiliation Changed: 3
- Key Compromise: 1
- Superseded: 1
- Total revoked: 127
- Active certificates: 1,089
Weekly Trends:
- Revocations this week: 23
- Average per day: 3.3
- Week-over-week: +15%
- Top reasons: Affiliation (60%), Superseded (25%)
Monthly Analysis:
- Total revocations: 98
- By department:
- Sales: 34
- Engineering: 28
- Operations: 22
- Other: 14
- Revocation reasons distribution
- Cost impact (reissuance)
Annual Review:
- Total certificates issued: 3,456
- Total revoked: 892 (25.8%)
- Average certificate lifetime: 274 days
- Revocation by reason (12-month)
- Compliance metrics
- Process improvements
Custom Reports
Report Builder:
Dimensions:
- Time period
- User/group
- Revocation reason
- Department
- Location
- Certificate type
Metrics:
- Revocation count
- Average certificate age at revocation
- Time to revoke (from request)
- Reissuance rate
- Authentication failures post-revocation
Filters:
- Date range
- Specific users
- Revocation reasons
- Manual vs. automated
- Emergency vs. planned
Export Formats:
- PDF (executive summary)
- Excel (detailed data)
- CSV (raw data)
- JSON (API integration)
Scheduling:
- Daily, weekly, monthly
- Email delivery
- Portal access
- API endpoint
Emergency Procedures
Mass Revocation
CA Compromise Scenario
Response Plan:
Immediate (Hour 0):
1. Identify compromise scope
2. Revoke all potentially affected certificates
3. Notify all users
4. Disable certificate issuance
5. Alert security team
Short Term (Hours 1-24):
1. Generate new CA key pair (if needed)
2. Issue new CA certificate
3. Communicate recovery plan to users
4. Set up temporary authentication (if needed)
5. Begin certificate reissuance
Medium Term (Days 1-7):
1. Automated certificate reissuance
2. User communication and support
3. Monitor adoption rate
4. Help desk surge staffing
5. Verify new infrastructure
Long Term (Weeks 1-4):
1. Complete certificate migration
2. Revoke old CA certificate
3. Post-incident review
4. Process improvements
5. Documentation updates
Notification Template:
Subject: URGENT: WiFi Certificate Security Update Required
Dear [User],
We have identified a security incident affecting WiFi certificates.
For your protection, your current certificate has been revoked.
Action Required:
1. Download new certificate: [link]
2. Install following guide: [link]
3. Remove old certificate
4. Deadline: [date]
Support: [contact info]
Disaster Recovery
Revocation System Failure
Failover Procedures:
CRL Distribution Failure:
Primary Distribution Point Down:
1. Automatic failover to secondary CRL URL
2. CDN serves cached CRL (max age: 1 hour)
3. Alert operations team
4. Investigate primary server
5. Restore service
Both CRL URLs Down:
1. RADIUS uses last cached CRL
2. Emergency mode: OCSP only
3. Escalate to critical incident
4. Manual CRL distribution if needed
5. Emergency communication
OCSP Responder Failure:
Primary OCSP Down:
1. Automatic failover to secondary
2. Load balancer redirects traffic
3. Monitor response times
4. Alert engineering team
All OCSP Responders Down:
1. Soft-fail: Proceed without OCSP
2. OR Hard-fail: Deny authentication
(Based on security policy)
3. Fallback to CRL checking
4. Emergency incident response
5. Rapid recovery priority
Complete Failure (CRL + OCSP):
Emergency Authentication:
1. Configure emergency access method:
- Temporary password authentication
- MAC address bypass for critical systems
- Admin-approved access list
2. Notify users of temporary procedure
3. All-hands recovery effort
4. Post-recovery: Audit emergency access
5. Remove emergency access immediately
Recovery Validation:
1. Verify CRL downloadable
2. Test OCSP queries
3. Confirm revoked certs denied
4. Validate valid certs accepted
5. Remove emergency procedures
6. Document incident
Advanced Topics
Delta CRLs
Concept and Benefits
Delta CRL Overview:
Problem with Base CRLs:
- Large file size (growing over time)
- Bandwidth intensive
- Slow downloads
- Infrequent updates due to size
Delta CRL Solution:
- Base CRL: Complete list (published weekly/monthly)
- Delta CRL: Only changes since base (published hourly)
- Much smaller size
- Faster updates
- Reduced bandwidth
Implementation:
Base CRL:
- Published: Weekly
- Contains: All revoked certificates
- Size: 500 KB (example)
Delta CRL:
- Published: Hourly
- Contains: New revocations since base
- Size: 5-20 KB
- References: Base CRL number
Client Behavior:
1. Download base CRL (weekly)
2. Download delta CRLs (hourly)
3. Merge delta with base
4. Check certificate status
5. Refresh delta hourly, base weekly
IronWifi Support:
- Currently: Base CRL only
- Future: Delta CRL support planned
- Configuration: Automatic when enabled
Certificate Pinning
Enhanced Security
Concept:
Standard Validation:
- Trust any certificate from trusted CA
- Vulnerable to CA compromise
- Vulnerable to rogue certificates
Certificate Pinning:
- Trust specific certificate(s)
- Pin to specific CA certificate
- Pin to specific server certificate
- Enhanced security
Implementation in WiFi Profiles:
iOS Configuration Profile:
<dict>
<key>PayloadCertificateAnchorUUID</key>
<array>
<string>CA-CERT-UUID</string>
</array>
<key>TLSTrustedServerNames</key>
<array>
<string>radius.ironwifi.com</string>
</array>
</dict>
Android:
- Similar pinning in network configuration
- Pin to specific CA
- Validate server name
Benefits:
- Prevents rogue RADIUS servers
- Stops MITM attacks
- Requires specific CA certificate
- Additional security layer
Considerations:
- CA certificate updates require profile update
- More management overhead
- Higher security for sensitive environments
Support and Resources
IronWifi Support
Contact Information
- Email: support@ironwifi.com
- Portal: console.ironwifi.com/support
- Documentation: www.ironwifi.com/help-center
- Emergency: Available for Enterprise accounts
Response Times
- Critical (revocation system down): Under 2 hours
- High (mass revocation needed): Under 4 hours
- Normal (revocation questions): Within 24 hours
- General guidance: Within 48 hours
Related Documentation
- PKI Infrastructure - Certificate authority management
- EAP-TLS Configuration - Client certificate setup
- Passpoint OSU Portal - Automated certificate provisioning
- Security & Compliance - Security best practices
External Resources
Standards and RFCs
- RFC 5280: X.509 Certificate and CRL Profile
- RFC 6960: Online Certificate Status Protocol (OCSP)
- RFC 6961: Multiple Certificate Status Request (OCSP Stapling)
- RFC 3647: Certificate Policy and Certification Practices Framework
Tools
- OpenSSL: Certificate and CRL manipulation
- XCA: Certificate authority management
- Wireshark: Network traffic analysis (OCSP/CRL)
Need Help with Certificate Revocation?
Contact IronWifi support for assistance with revocation policies, emergency procedures, or implementation guidance.