Certificate revocation, why is it important?

Most people in our business knows  the purpose of certificates. They can for instance be used for identity and authentication purposes. Two common examples: 

  • To verify a remote website’s authenticity and encrypt the traffic. Commonly called ‘SSL certificates’
  • To authenticate to corporate Wi-Fi/VPN. Commonly called ‘Client Authentication certificates’

So, we use this to identify the authenticity of our web site or connecting user.

Certificates are considered a secure means of authentication. But how are we handling these identities? 

In user management, we normally have a procedure where we disable the user account on the day the user leaves the company. We may also  reset their password as an extra mean  of security. 

If a computer gets stolen, we normally disable/delete the computer account (and probably reset  the user account password).

Are we good now? As you might expect, the answer is NO.

The user credentials on the stolen client are no longer valid since you changed the password on the user. But did the user have a certificate as well? Did you process that?

Even if you change the password and log the user out of every application, the certificate is still a valid user credential in itself. It is still valid for VPN or Wi-Fi access. Some systems do not even check against AD/AAD for a matching identity object, as long as the certificate is issued by a trusted CA (Certification Authority).

To remedy this issue, you need to revoke the certificate. Make it invalid for usage. This can be done in several ways depending on your needs. For a small organization, it might be OK to do this process manually when retiring a user account or computer. But as the organization grows, this quickly becomes unmanageable. 

ADCS

At Onevinn, we developed a plugin for the Microsoft ADCS: ADCS-ACR

With this plugin, Revocation of certificates can be automated based on the state of AD objects they represent, among other features.

Contact

Do you want to take control of you certificate based environment? Contact us!

More articles

Welcome to us Lucaz Torp!

Who is Lucaz? My name is Lucaz, I’m 25 years old, and I live in Gothenburg.

Welcome to us Isak Tellström

[Who is Isak] I am 29, turning 30 this December. I live in a small community outside of Skövde...

Cooking up the perfect detection query

What is a detection? The term “detection” generally refers to a scheduled query against a database,...