Oct 10, 2022
This article provides step-by-step instructions on how to revoke a GlobalSign Client Certificate in your GlobalSign Certificate Center (GCC) account. If you are unable to complete this process please send an email to email@example.com or use this page to request revocation. Please be sure to supply your contact information, the reason for revocation, the Certificate OrderID, the link to the Certificate in https://crt.sh if possible and your account (PAR) number in the request.
IMPORTANT: Before you proceed with the revocation, you will need to reissue first so you don't have to order your Certificate again.
Certificate revocation is the process of permanently removing trust in a certificate. This can be done by adding the certificate to a Certificate Revocation List (CRL) or using a Online Certificate Status Protocol (OCSP).
CRLs are binary files that contain the serial numbers of revoked certificates and in some cases a revocation reason. Each time a revocation check is performed, the client applications needs the CRL from the Issuing CA. In some cases this may be cached from recent checks, but generally the CRL must be downloaded in full and searched. Over time, the CRLs grow as the number of certificates are revoked and this results in large CRLs and increased latency during the TLS handshake. OCSP addresses some of the performance and scalability issues inherent to CRLs. Instead of having to download a full revocation list each time, the OCSP server can be queried like a database for a specific certificate entry. The OCSP response is signed by the CA and contains a status for the certificate.
Revocation can happen for a variety of reasons, such as a private key being compromised, a change of information in the certificate, a certificate being mis-used by a malicious party or simply that the certificate is no longer required.
Because trust is removed upon revocation, any negative impact of relying on the certificate is reduced. Because this is a permanent action that protects relying parties, Certificate Authorities (CAs) like GlobalSign must ensure that revocations are properly authorized and happen swiftly. GlobalSign therefore has 24/7 revocation capabilities.
The Subscriber or the Subject (the entity or individual named in a certificate), the Registration Authority (RA) or the Certificate Authority (CA) can initiate revocation. This means that if the revocation is requested and authorized by these parties, the revocation is guaranteed to be performed.
Other third parties may request revocation, for example if they have proof that the private key is compromised, or that the certificate has been used for malicious purposes. These revocation requests are subject to review by the CA.
Any Subscriber or Subject who have access to their own account with GlobalSign, can request revocation anytime via their account. This is simple and almost instantaneous. For SSL, please see the following guide:
Subscribers or Subjects that don’t have access to their own account, as well as any other third party who believes there is a reasonable cause to revoke a certificate, can contact GlobalSign using this form for any type of revocation request: https://www.globalsign.com/en/report-abuse. Please provide as much information as possible, to ensure that our team can review the request quickly.
Particularly useful is any information that allows us to identify the reported certificate, and any evidence of mis-use or key compromise. GlobalSign maintains 24/7 capabilities to review these requests within 24 hours. Depending on the reason for the request, we may contact you to obtain additional information. For example, if you contact us to request the revocation of one of your own certificates, we may request additional proof that you are indeed the Subscriber or Subject. If you contact us about a possible compromised key, we will request evidence that the key has in fact been compromised.
Also, for compromised key, you will need to reissue first before revoking so you don't have to order your Certificate again.