Certificate Revocation Guide

Overview

Certificate revocation is a critical security mechanism that allows administrators to invalidate certificates before their natural expiration date. This is essential when certificates are compromised, devices are lost or stolen, users leave the organization, or security policies change.

IronWiFi provides comprehensive certificate revocation capabilities through Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP), ensuring that revoked certificates are immediately rejected during authentication attempts.

Why Certificate Revocation Matters

Security Incidents

Lost or stolen devices must be immediately denied access
Compromised private keys require instant invalidation
Suspected security breaches need rapid response
Unauthorized certificate usage must be prevented

Organizational Changes

Employee terminations require access removal
Role changes may necessitate new certificates
Contractor access needs time-limited validity
Department transfers require updated credentials

Compliance Requirements

GDPR requires data access control
HIPAA mandates immediate access revocation
PCI-DSS requires certificate lifecycle management
SOC 2 demands audit trails

Operational Needs

Certificate replacement for upgrades
Policy changes requiring new certificates
Device refresh cycles
Certificate format updates

Revocation Technologies

Certificate Revocation List (CRL)

How CRL Works

CRL Distribution Flow:

1. Certificate Authority maintains CRL
   ↓
2. CRL contains serial numbers of revoked certificates
   ↓
3. CRL signed by CA private key
   ↓
4. CRL published to distribution point
   ↓
5. RADIUS server downloads CRL periodically
   ↓
6. RADIUS checks client certificate against CRL
   ↓
7. If serial number found → Authentication rejected
   ↓
8. If not found → Authentication proceeds

CRL Structure

X.509 CRL Contents:

Header:
- Version
- Signature algorithm
- Issuer (CA name)
- This update (timestamp)
- Next update (expiration)

Revoked Certificates List:
- Serial number
- Revocation date
- Revocation reason (optional)
- Certificate extensions

Signature:
- CA signature
- Signature algorithm

Advantages

Simple implementation
Works offline (once downloaded)
No additional infrastructure required
Widely supported by all platforms
Low computational overhead

Disadvantages

Delayed revocation (update interval)
Large file size with many certificates
Bandwidth consumption for downloads
Cache expiration delays
Not real-time

Best Use Cases

Stable environments with infrequent changes
Offline or air-gapped networks
Legacy systems requiring CRL
Low-criticality applications
Bandwidth-constrained environments

Online Certificate Status Protocol (OCSP)

How OCSP Works

OCSP Query Flow:

1. Client presents certificate to RADIUS
   ↓
2. RADIUS extracts certificate serial number
   ↓
3. RADIUS sends OCSP request to OCSP responder
   ↓
4. OCSP responder checks certificate status
   ↓
5. OCSP responder returns status:
   - Good: Certificate valid
   - Revoked: Certificate invalidated (reason, date)
   - Unknown: Certificate not found
   ↓
6. RADIUS makes authentication decision
   ↓
7. If Good → Authentication proceeds
   ↓
8. If Revoked/Unknown → Authentication rejected

OCSP Request/Response

OCSP Request:
- Certificate serial number
- Issuer name hash
- Issuer key hash
- Request extensions (nonce, etc.)

OCSP Response:
- Certificate status (good/revoked/unknown)
- This update timestamp
- Next update timestamp
- Revocation time (if revoked)
- Revocation reason (if revoked)
- Response signature

Advantages

Real-time revocation checking
Immediate certificate invalidation
Smaller message size than CRL
Reduced bandwidth (single certificate check)
Fresh status information

Disadvantages

Requires network connectivity
Additional infrastructure (OCSP responder)
Latency for each authentication
Single point of failure
Privacy concerns (certificate queries tracked)

Best Use Cases

High-security environments
Rapid access revocation requirements
Large certificate deployments
Frequently changing access policies
Compliance-driven organizations

OCSP Stapling

How OCSP Stapling Works

Stapling Flow:

1. Server obtains OCSP response for its certificate
   ↓
2. Server caches signed OCSP response
   ↓
3. During TLS handshake, server "staples" OCSP response
   ↓
4. Client receives certificate + OCSP response together
   ↓
5. Client validates OCSP response signature
   ↓
6. No separate OCSP query needed
   ↓
7. Improved performance and privacy

Advantages

Eliminates client OCSP queries
Improved performance (cached response)
Enhanced privacy (no tracking)
Reduced OCSP responder load
Scalability

Limitations

Only for server certificates (RADIUS)
Not for client certificate checking
Requires TLS 1.2+ support
Implementation complexity

Comparison Matrix

Feature Comparison:

                    CRL         OCSP        OCSP Stapling
─────────────────────────────────────────────────────────
Real-time           No          Yes         Yes*
Bandwidth           High        Low         Minimal
Latency             Low         Medium      Low
Offline Support     Yes         No          No
Infrastructure      Minimal     Moderate    Moderate
Scalability         Good        Fair        Excellent
Privacy             Good        Poor        Excellent
Implementation      Simple      Moderate    Complex

* For server certificates only

Recommendation by Environment:

Enterprise (High Security):
- Primary: OCSP
- Fallback: CRL
- Server: OCSP Stapling

Small Business:
- Primary: CRL
- Optional: OCSP

High-Volume/Scale:
- Primary: OCSP with caching
- Server: OCSP Stapling
- Fallback: CRL

Air-Gapped/Offline:
- Primary: CRL
- Manual distribution

IronWiFi Revocation Configuration

Enabling CRL

IronWiFi Console Setup

Navigation: Account → PKI Infrastructure → Certificate Revocation

CRL Configuration:
├─ Enable CRL: ✓
├─ CRL Distribution Point: https://console.ironwifi.com/crl/[account-id].crl
├─ Update Interval: 1 hour (default)
├─ Publication: Automatic
└─ Signing: IronWiFi CA

CRL Settings:
├─ Next Update: 24 hours
├─ Include Reason Codes: ✓
├─ Include Invalidity Date: ✓
└─ Base CRL only (no delta CRLs)

RADIUS Integration:
├─ CRL Checking: Enabled
├─ Cache Duration: 1 hour
├─ Automatic Updates: ✓
└─ Fallback Behavior: Reject if CRL unavailable

Certificate Configuration

Client Certificate Template:

Extensions:
├─ CRL Distribution Points:
│   └─ URI: https://console.ironwifi.com/crl/[account-id].crl
├─ Authority Information Access:
│   └─ CA Issuers: https://console.ironwifi.com/ca/[account-id].crt
└─ Certificate Policies: Optional

Issued Certificate Contains:
- CRL URL embedded in certificate
- Clients/RADIUS can retrieve CRL
- Automatic CRL location discovery

Enabling OCSP

IronWiFi Console Setup

Navigation: Account → PKI Infrastructure → OCSP Configuration

OCSP Responder:
├─ Enable OCSP: ✓
├─ OCSP URL: http://ocsp.ironwifi.com
├─ Response Signing: IronWiFi OCSP Certificate
├─ Response Validity: 24 hours
└─ Nonce Support: ✓ (replay protection)

Performance Settings:
├─ Response Caching: 5 minutes
├─ Max Simultaneous Requests: 1000
├─ Timeout: 5 seconds
└─ Retry: 2 attempts

Fallback Configuration:
├─ OCSP Unavailable: Check CRL
├─ CRL Unavailable: Reject authentication
└─ Both Unavailable: Emergency policy (configurable)

Certificate Configuration

Client Certificate Template:

Authority Information Access:
├─ OCSP URL: http://ocsp.ironwifi.com
├─ Embedded in issued certificates
└─ Automatic OCSP discovery

OCSP Response:
├─ Signed by dedicated OCSP certificate
├─ Includes certificate status
├─ Validity period: 24 hours
├─ Refresh: Real-time
└─ Cached for performance

RADIUS Server Configuration

CRL Configuration on RADIUS

FreeRADIUS Configuration:

eap {
    tls-config tls-common {
        # CRL checking
        check_crl = yes

        # CRL file location
        ca_path = /etc/raddb/certs/crl

        # CRL update interval
        crl_reload_interval = 3600

        # Behavior if CRL unavailable
        check_crl_strict = yes
    }
}

CRL Download:
- Automatic download from distribution point
- Scheduled updates every hour
- Fallback to cached CRL if download fails
- Alert on CRL expiration

OCSP Configuration on RADIUS

FreeRADIUS Configuration:

eap {
    tls-config tls-common {
        # OCSP checking
        check_cert_cn = yes
        ocsp {
            enable = yes
            override_cert_url = no
            url = "http://ocsp.ironwifi.com"
            use_nonce = yes
            timeout = 5
            softfail = yes  # Continue if OCSP unavailable
        }
    }
}

OCSP Behavior:
- Check client certificate via OCSP
- Use URL from certificate (or override)
- Timeout after 5 seconds
- Cache responses for performance
- Soft fail: Allow if OCSP down (configurable)

Revocation Procedures

Manual Certificate Revocation

Single Certificate Revocation

IronWiFi Console:

1. Navigate to Users → Certificate Management
2. Search for user or certificate serial number
3. Select certificate to revoke
4. Click "Revoke Certificate"

Revocation Dialog:
├─ Certificate: [Serial number, CN, expiry]
├─ User: [Email, name]
├─ Current Status: Valid
├─ Revocation Reason: [Dropdown]
│   ├─ Unspecified
│   ├─ Key Compromise
│   ├─ CA Compromise
│   ├─ Affiliation Changed
│   ├─ Superseded
│   ├─ Cessation of Operation
│   ├─ Certificate Hold
│   └─ Remove from CRL (undo hold)
├─ Effective Date: [Timestamp - default: now]
├─ Invalidation Date: [Optional - backdating]
└─ Notify User: ✓ [Email notification]

Confirmation:
- Review details
- Confirm revocation
- Immediate effect

Post-Revocation:
- Certificate added to CRL immediately
- OCSP status updated real-time
- User sessions terminated (optional)
- Email notification sent
- Audit log entry created

Bulk Revocation

Bulk Revocation Options:

By User Group:
Navigate to Groups → [Group Name]
Select "Revoke All Certificates"
Choose revocation reason
Confirm bulk action
Process: Background job (large groups)

By CSV Import:
Prepare CSV with serial numbers or emails
Navigate to Users → Certificate Management → Bulk Actions
Upload CSV file
Map columns (serial/email, reason)
Preview revocations
Execute bulk revocation

By Date Range:
Certificate Management → Advanced Search
Filter by issue date, expiry, or criteria
Select matching certificates
Bulk revoke action
Apply revocation reason
Confirm and execute

By Department/Location:
Filter by custom attributes
Select all matching
Bulk revoke
Automated notification

Automated Revocation

User Lifecycle Integration

Automatic Revocation Triggers:

User Account Disabled:
- Trigger: Account status → Disabled
- Action: Revoke all user certificates
- Reason: Cessation of Operation
- Notification: Email to user and admin

User Deleted:
- Trigger: User deletion from system
- Action: Immediate certificate revocation
- Reason: Affiliation Changed
- Cleanup: Archive user data

Group Membership Removed:
- Trigger: User removed from group
- Condition: If group requires certificate
- Action: Revoke group-specific certificate
- Reason: Affiliation Changed

Account Expiration:
- Trigger: User account expiry date reached
- Action: Auto-revoke certificates
- Reason: Cessation of Operation
- Grace Period: Optional (e.g., 7 days)

Integration-Based Revocation

Identity Provider Sync:

Azure AD / Google Workspace:
- Employee termination in Azure
- Webhook to IronWiFi
- Automatic certificate revocation
- Reason: Affiliation Changed
- Timing: Within 5 minutes

SCIM Provisioning:
- User deactivation via SCIM
- IronWiFi receives update
- Certificates revoked
- Sessions terminated

HR System Integration:
- Termination date in HR system
- Scheduled revocation
- Advance notice to IT
- Graceful offboarding

Security Event-Driven Revocation

Automated Security Responses:

Compromised Device Detection:
- MDM reports device compromised
- Trigger revocation workflow
- Reason: Key Compromise
- Immediate effect

Unusual Activity Detection:
- Anomalous connection patterns
- Automated or manual review
- Precautionary revocation
- Reason: Certificate Hold (reversible)

Policy Violation:
- Bandwidth abuse
- Security scan detection
- Automated suspension
- Certificate Hold pending review

Multiple Failed Authentications:
- Threshold: 10 failures in 10 minutes
- Temporary suspension
- Certificate Hold
- Admin notification for review

Revocation Verification

Testing Revocation

Verification Steps:

1. Revoke Test Certificate:
   - Create test user
   - Issue certificate
   - Revoke certificate
   - Note revocation time

2. Check CRL:
   - Download current CRL
   - Verify certificate serial present
   - Check revocation reason
   - Verify signature

3. Check OCSP:
   - Query OCSP responder
   - openssl ocsp -issuer ca.crt -cert client.crt \
     -url http://ocsp.ironwifi.com -CAfile ca.crt
   - Expected response: "Revoked"
   - Verify revocation time and reason

4. Test Authentication:
   - Attempt connection with revoked certificate
   - Expected: Authentication failure
   - RADIUS log: Certificate revoked
   - Verify rejection message

5. Timing Verification:
   - CRL update delay: Under 1 hour (default)
   - OCSP response: Real-time (under 5 seconds)
   - RADIUS cache: Clear cache to test immediately

Monitoring Revocation Status

Real-Time Monitoring:

Dashboard Metrics:
├─ Total Issued Certificates: 1,234
├─ Valid Certificates: 1,156
├─ Expired Certificates: 45
├─ Revoked Certificates: 33
│   ├─ Key Compromise: 5
│   ├─ Affiliation Changed: 18
│   ├─ Superseded: 7
│   └─ Other: 3
└─ Certificates on Hold: 2

Recent Revocations (24h):
- 2024-12-16 14:32: user1@company.com (Affiliation Changed)
- 2024-12-16 09:15: user2@company.com (Key Compromise)
- 2024-12-15 16:45: user3@company.com (Superseded)

Alerts:
- Certificate revoked: Immediate notification
- Bulk revocations: Summary notification
- Failed revocation: Admin alert

Certificate Hold and Reinstatement

Temporary Suspension

Certificate Hold Mechanism

Use Cases for Certificate Hold:

Investigation Period:
- Suspected compromise
- Policy violation under review
- Security incident investigation
- Pending verification

Temporary Leave:
- Employee sabbatical
- Extended medical leave
- Temporary suspension
- Reactivation expected

Grace Period:
- Payment pending
- Contract renewal in progress
- Paperwork processing
- Short-term suspension

How Hold Works:
- Certificate marked as "on hold" in CRL
- OCSP returns "Revoked" (reason: Certificate Hold)
- Authentication rejected
- Reversible: Can be removed from CRL
- Not permanently revoked

Placing Certificate on Hold

IronWiFi Console:

1. Navigate to Certificate Management
2. Select certificate
3. Click "Suspend Certificate"

Suspension Dialog:
├─ Reason: Certificate Hold
├─ Hold Duration: [Days or indefinite]
├─ Auto-Release: [Optional date]
├─ Notify User: ✓
└─ Notes: [Internal notes]

Effect:
- Immediate authentication denial
- Added to CRL with Hold reason
- OCSP returns Revoked (Hold)
- User notification sent
- Reversible action

Removing Certificate from Hold

Reinstatement Process:

1. Navigate to Certificate Management
2. Filter: Status = On Hold
3. Select certificate(s)
4. Click "Remove Hold"

Reinstatement Dialog:
├─ Certificate: [Details]
├─ Hold Since: [Date]
├─ Hold Reason: [Original reason]
├─ Release Reason: [Required]
├─ Effective: [Immediately or scheduled]
└─ Notify User: ✓

Post-Reinstatement:
- Removed from CRL
- OCSP status: Good
- Authentication allowed
- User notification
- Audit trail updated

Note: Certificate Hold is the ONLY reversible revocation reason

Permanent Revocation

Irreversible Revocations

Permanent Revocation Reasons:

Key Compromise:
- Private key exposed
- Device stolen
- Security breach
- Requires new certificate

CA Compromise:
- Certificate Authority compromised
- All certificates potentially affected
- Mass reissuance required

Affiliation Changed:
- Employee terminated
- Contractor ended
- User role changed
- Organization departure

Superseded:
- Certificate replaced
- Upgraded certificate issued
- Old certificate invalid

Cessation of Operation:
- Service discontinued
- Device decommissioned
- Account closed

Unspecified:
- Generic revocation
- Reason not disclosed

Important:
- These revocations are PERMANENT
- Cannot be undone
- Certificate cannot be reinstated
- New certificate required for access
- Serial number remains in CRL indefinitely (or per retention policy)

Troubleshooting

Common Issues

CRL Download Failures

Symptoms:
- RADIUS logs show CRL retrieval errors
- Authentication timeouts
- All certificates rejected

Causes:
- Network connectivity issues
- Firewall blocking HTTP/HTTPS
- DNS resolution failures
- CRL distribution point unavailable
- Expired CRL

Diagnosis:

1. Test CRL URL manually:
   wget https://console.ironwifi.com/crl/[account-id].crl

2. Check CRL validity:
   openssl crl -in downloaded.crl -text -noout

3. Verify dates:
   - This Update: Should be recent
   - Next Update: Should be future

4. Check RADIUS logs:
   grep "CRL" /var/log/radius/radius.log

Solutions:

- Verify network connectivity from RADIUS server
- Check firewall rules (allow outbound HTTP/HTTPS)
- Verify DNS resolution
- Increase CRL cache duration
- Enable CRL fallback behavior
- Contact IronWiFi support if distribution point down

OCSP Responder Timeouts

Symptoms:
- Slow authentication
- Intermittent failures
- RADIUS logs show OCSP timeout errors

Causes:
- Network latency
- OCSP responder overloaded
- Firewall issues
- DNS problems
- Configuration errors

Diagnosis:

1. Test OCSP manually:
   openssl ocsp -issuer ca.crt -cert client.crt \
     -url http://ocsp.ironwifi.com -CAfile ca.crt

2. Measure response time:
   time openssl ocsp ... (should be under 1 second)

3. Check connectivity:
   ping ocsp.ironwifi.com
   traceroute ocsp.ironwifi.com

4. Review RADIUS configuration:
   - OCSP timeout setting
   - Soft fail configuration
   - Cache settings

Solutions:

- Increase OCSP timeout (default: 5s → 10s)
- Enable OCSP soft fail (allow if unavailable)
- Enable OCSP response caching
- Configure CRL as fallback
- Check network path to OCSP responder
- Verify firewall allows HTTP to ocsp.ironwifi.com

Revoked Certificates Still Authenticating

Symptoms:
- Certificate revoked but user still connects
- Delay in revocation enforcement
- Inconsistent behavior

Causes:
- CRL not updated on RADIUS server
- OCSP caching
- RADIUS certificate cache
- CRL/OCSP disabled
- Configuration error

Diagnosis:

1. Verify revocation in IronWiFi:
   - Check certificate status
   - Confirm in revoked list
   - Note revocation timestamp

2. Check CRL distribution:
   - Download current CRL
   - Verify serial number present
   - Check "This Update" timestamp

3. Verify RADIUS CRL:
   - Check RADIUS CRL cache
   - Compare timestamps
   - Force CRL reload

4. Test OCSP:
   - Query certificate status
   - Should return "Revoked"

Solutions:

- Force CRL update on RADIUS:
  - Delete cached CRL
  - Restart RADIUS service
  - Or wait for next update interval

- Clear OCSP cache (if applicable)

- Verify RADIUS configuration:
  - check_crl = yes
  - OCSP enabled

- Reduce CRL update interval:
  - Default: 1 hour → 15 minutes (if needed)

- For immediate effect:
  - Use OCSP instead of CRL
  - Reduce cache durations
  - Enable real-time checking

Certificate Wrongly Revoked

Symptoms:
- Valid user cannot authenticate
- Certificate shows as revoked
- User claims no security incident

Causes:
- Accidental revocation
- Automated rule false positive
- Bulk revocation mistake
- Integration error

Diagnosis:

1. Check certificate status:
   - IronWiFi console
   - Verify revocation details
   - Review revocation reason
   - Check who performed revocation

2. Review audit logs:
   - Revocation timestamp
   - Triggering event
   - Admin action or automated
   - Integration webhook logs

3. Verify user account:
   - User status
   - Group membership
   - Account expiration

Solutions:

If Certificate On Hold (Temporary):
- Remove from hold (reversible)
- User can reconnect immediately

If Permanently Revoked:
- Cannot undo revocation
- Issue new certificate:
  1. Generate new certificate for user
  2. Send to user via email or portal
  3. User installs new certificate
  4. Old certificate remains revoked

- Review process to prevent recurrence:
  - Adjust automated rules
  - Update integration logic
  - Train administrators
  - Add approval workflows for bulk actions

Debugging Tools

OpenSSL Commands

Certificate Verification:

Check Certificate Details:
openssl x509 -in client.crt -text -noout

Verify Certificate Chain:
openssl verify -CAfile ca.crt -crl_check \
  -CRLfile ca.crl client.crt

Check CRL:
openssl crl -in ca.crl -text -noout

OCSP Query:
openssl ocsp -issuer ca.crt -cert client.crt \
  -url http://ocsp.ironwifi.com -CAfile ca.crt -resp_text

Expected OCSP Responses:
- Good: Certificate is valid
- Revoked: Certificate has been revoked (with reason)
- Unknown: Certificate not found

RADIUS Debugging

FreeRADIUS Debug Mode:

Stop RADIUS:
systemctl stop freeradius

Run in Debug Mode:
radiusd -X

Look for CRL/OCSP Output:
- CRL download messages
- CRL parsing
- Certificate chain validation
- OCSP queries and responses
- Revocation checking results

Test Single Authentication:
radtest username password localhost 0 testing123

Expected Debug Output (Revoked Cert):
- Certificate presented
- Serial number: 0A1B2C3D4E (example)
- CRL check: Certificate found in CRL
- Revocation reason: Key Compromise
- Authentication: REJECTED

Network Diagnostics

Connectivity Tests:

Test CRL Download:
curl -I https://console.ironwifi.com/crl/[account-id].crl
wget --spider https://console.ironwifi.com/crl/[account-id].crl

Test OCSP Connectivity:
nc -vz ocsp.ironwifi.com 80
curl -I http://ocsp.ironwifi.com

DNS Resolution:
nslookup console.ironwifi.com
nslookup ocsp.ironwifi.com

Trace Route:
traceroute console.ironwifi.com
traceroute ocsp.ironwifi.com

Firewall Test:
tcpdump -i any host ocsp.ironwifi.com

Best Practices

Revocation Policy

Define Revocation Procedures

Revocation Policy Template:

Immediate Revocation (within 1 hour):
- Lost or stolen devices
- Suspected compromise
- Employee termination for cause
- Security incident
- Legal requirement

Scheduled Revocation (within 24 hours):
- Standard employee termination
- Contractor end date
- Planned device replacement
- Certificate upgrade

Grace Period Revocation (3-7 days):
- Employee departure with notice period
- Contractor rolling off
- Certificate expiration with renewal
- Voluntary resignation

Revocation Reasons Mapping:
- Termination → Affiliation Changed
- Device lost/stolen → Key Compromise
- Security incident → Key Compromise
- Certificate replacement → Superseded
- Service discontinued → Cessation of Operation
- Investigation → Certificate Hold (temporary)

Approval Workflows

Revocation Authorization:

Single Certificate:
- Help desk can revoke for lost device
- Manager approval for employee
- Security team for compromise
- Automated for account deletion

Bulk Revocation (over 10):
- Requires manager approval
- Security team notification
- Change control ticket
- Scheduled maintenance window

Emergency Revocation:
- Security team authority
- Immediate action
- Post-incident review
- Audit trail required

Reinstatement from Hold:
- Original revoker can release
- Manager approval required
- Security review for compromises
- Documented reason required

Monitoring and Alerting

Real-Time Alerts

Alert Configuration:

Critical Alerts (Immediate):
- Mass revocation (over 50 certificates)
- CA private key access attempt
- CRL distribution point failure
- OCSP responder down
- Unusual revocation pattern

Warning Alerts (Within 1 hour):
- Bulk revocation (10-50 certificates)
- CRL update failure
- OCSP timeout increase
- Revocation rate spike

Informational Alerts (Daily digest):
- Daily revocation summary
- Certificates expiring (30 days)
- Revocation reason distribution
- Top users by revocations

Alert Channels:
- Email: Security team, IT management
- SMS: For critical alerts
- Slack/Teams: Operations channel
- SIEM: Integration for correlation
- Ticketing: Automatic ticket creation

Regular Auditing

Audit Schedule:

Daily:
- Review revocation log
- Check CRL/OCSP availability
- Monitor revocation rate
- Verify automated revocations

Weekly:
- Analyze revocation reasons
- Review hold status certificates
- Check authentication failure patterns
- Validate integration synchronization

Monthly:
- Comprehensive revocation report
- Policy compliance review
- Process effectiveness evaluation
- Training needs assessment

Quarterly:
- Security audit
- Revocation procedure review
- Disaster recovery test
- Stakeholder reporting

Annual:
- Policy review and update
- Technology assessment
- Compliance certification
- Executive presentation

Certificate Lifecycle Management

Proactive Management

Lifecycle Automation:

Certificate Issuance:
- Automated provisioning
- Default validity: 1 year
- Renewal notifications: 30, 14, 7 days
- Auto-renewal option available

Certificate Renewal:
- Automated renewal process
- Overlap period: 7 days
- Old certificate auto-revoked after new issued
- Reason: Superseded

Certificate Expiration:
- Warning emails: 30, 14, 7 days before
- Automatic revocation on expiration
- Grace period: Optional 7 days
- User portal for self-renewal

Certificate Replacement:
- Device upgrade triggers new certificate
- Old certificate revoked (Superseded)
- Automated distribution
- Zero downtime transition

Certificate Hygiene

Maintenance Tasks:

Unused Certificates:
- Detection: No auth in 90 days
- Action: Review and revoke
- Notification: User and manager
- Cleanup: Reduce attack surface

Duplicate Certificates:
- Detection: Multiple certs per user
- Analysis: Check necessity
- Action: Revoke older/unnecessary
- User education: Proper usage

Over-Privileged Certificates:
- Review: User role vs. certificate group
- Detection: Access beyond role
- Action: Revoke and reissue
- Principle: Least privilege

Orphaned Certificates:
- Detection: User account deleted
- Certificate still valid
- Action: Immediate revocation
- Prevention: Automated cleanup

Security Hardening

CRL Security

CRL Protection:

Signing Key Security:
- CA private key in HSM
- Access controls strict
- Audit all key usage
- Regular key rotation (3-5 years)

Distribution Security:
- HTTPS for CRL distribution
- CRL signed by CA
- Signature verification mandatory
- Integrity checking

Update Frequency:
- Default: Every 1 hour
- High security: Every 15 minutes
- Balance: Security vs. bandwidth
- Emergency updates: On-demand

Backup and Redundancy:
- Multiple CRL distribution points
- Geographic redundancy
- CDN distribution for performance
- Fallback mechanisms

OCSP Security

OCSP Hardening:

OCSP Responder Security:
- Dedicated OCSP signing certificate
- Separate from CA certificate
- Limited privilege
- Short-lived responses (24h max)

Request Security:
- Nonce support (replay protection)
- Rate limiting
- DDoS protection
- Authentication (optional)

Response Security:
- Always signed
- Signature validation required
- Timestamp verification
- No caching of revoked responses

Infrastructure Security:
- Redundant OCSP responders
- Load balancing
- DDoS mitigation
- 99.9% SLA target

Access Controls

Revocation Permissions:

Role-Based Access:

Security Administrator:
- Revoke any certificate
- Bulk operations
- Emergency revocations
- Policy configuration

Certificate Administrator:
- Revoke within managed groups
- Individual revocations
- View all certificates
- Generate reports

Help Desk:
- Revoke for lost device (with verification)
- Suspend (Certificate Hold)
- Limited to assigned users
- Cannot bulk revoke

Manager:
- Revoke for direct reports
- Approve revocations
- View team certificates
- Request bulk operations

Audit Requirements:
- All revocations logged
- User, timestamp, reason
- IP address, session ID
- Approval chain recorded
- Immutable audit trail

Compliance and Reporting

Regulatory Requirements

GDPR Compliance

Right to Access:
- Users can view their certificates
- Revocation history available
- Export certificate data
- Self-service portal access

Right to Erasure:
- Certificate revocation
- Data retention limits
- Anonymization of logs
- Complete removal option

Data Protection:
- Private keys encrypted
- Certificate data secured
- Access controls enforced
- Breach notification (72h)

Audit Trail:
- Who revoked certificates
- When and why
- User notification logs
- Data access records

HIPAA Compliance

Access Control (§164.312(a)(1)):
- Unique user identification (certificate CN)
- Emergency access procedure (admin override)
- Automatic logoff (session timeout)
- Encryption and decryption (TLS)

Audit Controls (§164.312(b)):
- Certificate issuance logging
- Revocation tracking
- Authentication attempts
- Access to PHI systems

Integrity (§164.312(c)(1)):
- Certificate validation
- Non-repudiation (digital signatures)
- Data integrity checking

Transmission Security (§164.312(e)(1)):
- TLS encryption (EAP-TLS)
- Certificate-based authentication
- Secure key exchange

PCI-DSS Compliance

Requirement 8.2: Strong Authentication
- Two-factor: Certificate + device
- Unique credentials per user
- Immediate revocation capability

Requirement 10.2: Audit Trails
- User authentication events
- Certificate revocations
- Admin actions logged
- Protected audit logs

Requirement 11.4: Intrusion Detection
- Unusual revocation patterns
- Compromised certificate detection
- Alerting mechanisms

Requirement 12.3: Usage Policies
- Acceptable use policy
- Revocation procedures
- User responsibilities
- Certificate handling

Reporting

Standard Reports

Certificate Revocation Report:

Daily Summary:
- Revocations today: 5
- Reason breakdown:
  - Affiliation Changed: 3
  - Key Compromise: 1
  - Superseded: 1
- Total revoked: 127
- Active certificates: 1,089

Weekly Trends:
- Revocations this week: 23
- Average per day: 3.3
- Week-over-week: +15%
- Top reasons: Affiliation (60%), Superseded (25%)

Monthly Analysis:
- Total revocations: 98
- By department:
  - Sales: 34
  - Engineering: 28
  - Operations: 22
  - Other: 14
- Revocation reasons distribution
- Cost impact (reissuance)

Annual Review:
- Total certificates issued: 3,456
- Total revoked: 892 (25.8%)
- Average certificate lifetime: 274 days
- Revocation by reason (12-month)
- Compliance metrics
- Process improvements

Custom Reports

Report Builder:

Dimensions:
- Time period
- User/group
- Revocation reason
- Department
- Location
- Certificate type

Metrics:
- Revocation count
- Average certificate age at revocation
- Time to revoke (from request)
- Reissuance rate
- Authentication failures post-revocation

Filters:
- Date range
- Specific users
- Revocation reasons
- Manual vs. automated
- Emergency vs. planned

Export Formats:
- PDF (executive summary)
- Excel (detailed data)
- CSV (raw data)
- JSON (API integration)

Scheduling:
- Daily, weekly, monthly
- Email delivery
- Portal access
- API endpoint

Emergency Procedures

Mass Revocation

CA Compromise Scenario

Response Plan:

Immediate (Hour 0):
1. Identify compromise scope
2. Revoke all potentially affected certificates
3. Notify all users
4. Disable certificate issuance
5. Alert security team

Short Term (Hours 1-24):
1. Generate new CA key pair (if needed)
2. Issue new CA certificate
3. Communicate recovery plan to users
4. Set up temporary authentication (if needed)
5. Begin certificate reissuance

Medium Term (Days 1-7):
1. Automated certificate reissuance
2. User communication and support
3. Monitor adoption rate
4. Help desk surge staffing
5. Verify new infrastructure

Long Term (Weeks 1-4):
1. Complete certificate migration
2. Revoke old CA certificate
3. Post-incident review
4. Process improvements
5. Documentation updates

Notification Template:
Subject: URGENT: WiFi Certificate Security Update Required

Dear [User],

We have identified a security incident affecting WiFi certificates.
For your protection, your current certificate has been revoked.

Action Required:
1. Download new certificate: [link]
2. Install following guide: [link]
3. Remove old certificate
4. Deadline: [date]

Support: [contact info]

Disaster Recovery

Revocation System Failure

Failover Procedures:

CRL Distribution Failure:

Primary Distribution Point Down:
1. Automatic failover to secondary CRL URL
2. CDN serves cached CRL (max age: 1 hour)
3. Alert operations team
4. Investigate primary server
5. Restore service

Both CRL URLs Down:
1. RADIUS uses last cached CRL
2. Emergency mode: OCSP only
3. Escalate to critical incident
4. Manual CRL distribution if needed
5. Emergency communication

OCSP Responder Failure:

Primary OCSP Down:
1. Automatic failover to secondary
2. Load balancer redirects traffic
3. Monitor response times
4. Alert engineering team

All OCSP Responders Down:
1. Soft-fail: Proceed without OCSP
2. OR Hard-fail: Deny authentication
   (Based on security policy)
3. Fallback to CRL checking
4. Emergency incident response
5. Rapid recovery priority

Complete Failure (CRL + OCSP):

Emergency Authentication:
1. Configure emergency access method:
   - Temporary password authentication
   - MAC address bypass for critical systems
   - Admin-approved access list
2. Notify users of temporary procedure
3. All-hands recovery effort
4. Post-recovery: Audit emergency access
5. Remove emergency access immediately

Recovery Validation:
1. Verify CRL downloadable
2. Test OCSP queries
3. Confirm revoked certs denied
4. Validate valid certs accepted
5. Remove emergency procedures
6. Document incident

Advanced Topics

Delta CRLs

Concept and Benefits

Delta CRL Overview:

Problem with Base CRLs:
- Large file size (growing over time)
- Bandwidth intensive
- Slow downloads
- Infrequent updates due to size

Delta CRL Solution:
- Base CRL: Complete list (published weekly/monthly)
- Delta CRL: Only changes since base (published hourly)
- Much smaller size
- Faster updates
- Reduced bandwidth

Implementation:
Base CRL:
- Published: Weekly
- Contains: All revoked certificates
- Size: 500 KB (example)

Delta CRL:
- Published: Hourly
- Contains: New revocations since base
- Size: 5-20 KB
- References: Base CRL number

Client Behavior:
1. Download base CRL (weekly)
2. Download delta CRLs (hourly)
3. Merge delta with base
4. Check certificate status
5. Refresh delta hourly, base weekly

IronWiFi Support:
- Currently: Base CRL only
- Future: Delta CRL support planned
- Configuration: Automatic when enabled

Certificate Pinning

Enhanced Security

Concept:

Standard Validation:
- Trust any certificate from trusted CA
- Vulnerable to CA compromise
- Vulnerable to rogue certificates

Certificate Pinning:
- Trust specific certificate(s)
- Pin to specific CA certificate
- Pin to specific server certificate
- Enhanced security

Implementation in WiFi Profiles:

iOS Configuration Profile:
<dict>
    <key>PayloadCertificateAnchorUUID</key>
    <array>
        <string>CA-CERT-UUID</string>
    </array>
    <key>TLSTrustedServerNames</key>
    <array>
        <string>radius.ironwifi.com</string>
    </array>
</dict>

Android:
- Similar pinning in network configuration
- Pin to specific CA
- Validate server name

Benefits:
- Prevents rogue RADIUS servers
- Stops MITM attacks
- Requires specific CA certificate
- Additional security layer

Considerations:
- CA certificate updates require profile update
- More management overhead
- Higher security for sensitive environments

Support and Resources

IronWiFi Support

Contact Information

Email: support@ironwifi.com
Portal: console.ironwifi.com/support
Documentation: www.ironwifi.com/help-center
Emergency: Available for Enterprise accounts

Response Times

Critical (revocation system down): Under 2 hours
High (mass revocation needed): Under 4 hours
Normal (revocation questions): Within 24 hours
General guidance: Within 48 hours

PKI Infrastructure - Certificate authority management
EAP-TLS Configuration - Client certificate setup
Passpoint OSU Portal - Automated certificate provisioning
Security & Compliance - Security best practices

External Resources

Standards and RFCs

RFC 5280: X.509 Certificate and CRL Profile
RFC 6960: Online Certificate Status Protocol (OCSP)
RFC 6961: Multiple Certificate Status Request (OCSP Stapling)
RFC 3647: Certificate Policy and Certification Practices Framework

Tools

OpenSSL: Certificate and CRL manipulation
XCA: Certificate authority management
Wireshark: Network traffic analysis (OCSP/CRL)

Need Help with Certificate Revocation?

Contact IronWiFi support for assistance with revocation policies, emergency procedures, or implementation guidance.

Was this page helpful?

Overview​

Why Certificate Revocation Matters​

Revocation Technologies​

Certificate Revocation List (CRL)​

Online Certificate Status Protocol (OCSP)​

OCSP Stapling​

Comparison Matrix​

IronWiFi Revocation Configuration​

Enabling CRL​

Enabling OCSP​

RADIUS Server Configuration​

Revocation Procedures​

Manual Certificate Revocation​

Automated Revocation​

Revocation Verification​

Certificate Hold and Reinstatement​

Temporary Suspension​

Permanent Revocation​

Troubleshooting​

Common Issues​

Debugging Tools​

Best Practices​

Revocation Policy​

Monitoring and Alerting​

Certificate Lifecycle Management​

Security Hardening​

Compliance and Reporting​

Regulatory Requirements​

Reporting​

Emergency Procedures​

Mass Revocation​

Disaster Recovery​

Advanced Topics​

Delta CRLs​

Certificate Pinning​

Support and Resources​

IronWiFi Support​

Related Documentation​

External Resources​

Related Topics​

Overview

Why Certificate Revocation Matters

Revocation Technologies

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

OCSP Stapling

Comparison Matrix

IronWiFi Revocation Configuration

Enabling CRL

Enabling OCSP

RADIUS Server Configuration

Revocation Procedures

Manual Certificate Revocation

Automated Revocation

Revocation Verification

Certificate Hold and Reinstatement

Temporary Suspension

Permanent Revocation

Troubleshooting

Common Issues

Debugging Tools

Best Practices

Revocation Policy

Monitoring and Alerting

Certificate Lifecycle Management

Security Hardening

Compliance and Reporting

Regulatory Requirements

Reporting

Emergency Procedures

Mass Revocation

Disaster Recovery

Advanced Topics

Delta CRLs

Certificate Pinning

Support and Resources

IronWiFi Support

Related Documentation

External Resources

Related Topics