The digital certificate is an element that is not exempt from being lost or stolen through a security breach. That is why we need to have a way to cancel it, so that no one can impersonate us. This is the main purpose of certificate revocation. Next, we go deep into what the revocation is and how it works.
The digital certificate is the tool that allows us to “identify ourselves on the Internet and exchange information with other people and organizations with the guarantee that only you and your interlocutor can access it”, according to the words of the National Currency and Stamp Factory (NCSF, by its acronym in English).
About the usefulness of a digital certificate we have spoken in depth on this blog numerous times. With it we can present and settle taxes, send resources and claims, consult traffic tickets or the municipal register and a long list of actions in local, regional and state administrations. In the same way, all kinds of operations can be carried out in the private sphere: digitally identify yourself to a bank, buy and sell, contract services, etc.
Taking into account all this, at the moment in which we suspect that the certificate may have been copied or that thirds has had access to our private key or we have simply lost it and are unable to find it, the most sensible thing is to revoke it and then obtain new one.
What does it mean to revoke a certificate and how is it done?
As the NCSF website explains, revoking a certificate is “voiding its validity before the expiration date stated therein”. This revocation can be requested at any time, especially when “the owner believes that his private keys are known by others”.
Certificate revocation must be carried out in the same organization that was generated. The most widespread in Spain are the electronic DNI and the NCSF, but there are many more:
• DNI: in case of losing the secret PIN, suspecting that another person knows it or losing your ID, the National Police informs that we are obliged to come to an ID Office to report and revoke the certificate.
• NCSF: the revocation of a certificate issued by the National Currency and Stamp Factory can be done over the Internet, by telephone or in person at some of the registry offices of the delegations and administrations of the Tax Agency or the National Market Commission of Values.
• Certificates issued by other QSPs (Qualified Service Providers, formerly Certification Authorities). To revoke these certificates, you must go in person to the QSP or Registry Authorities of said organization. In most of these, there is also the possibility of doing it telematically, through a secret revocation code that is provided to the user along with the certificate itself.
• On the website of each QSP you can see in detail the revocation procedure in each one of them.
Once the revocation has been effective, any digital signature made with the private key associated with the certificate after this date will not be valid.
How to know the validity of a certificate?
The certification authorities (CA) are the organizations that have the capacity to issue and revoke certificates, although after the entry into force of the eIDAS regulation, they are known as Qualified Service Providers (QSP, by its acronym in English) in the European Union. These authorities are also required to publish the lists of revoked certificates (CLR).
CLRs are one of the mechanisms used to check the validity of a certificate its expiration date, but it is not the only method. OCSP is another validation service, also compatible with Viafirma solutions.
OCSP stands for Online Certificate Status Protocol, that is, Protocol for checking the status of an Online Certificate. This protocol is registered in RFC 6960 and was created with the purpose of solving certain inconveniences that had the use of public PKI lists.
The process of verification by OCSP is very simple. The user sends a request for verification of a certificate through his client and the server returns a signed response on the current status of the certificate.
The main advantage of OCSP over CLRs is that it offers more up-to-date and recent information on the revocation of certificates, and, in addition, it is not necessary for service facilitators to receive and process lists of revoked certificates. Of course, the OCSP needs a permanent connection to the internet for its use, while the CLR can be temporarily stored for local consultations.
How to avoid the revocation of your digital certificate?
As they say popularly, prevention is better than cure. Therefore, the most advisable thing is to use tools that guarantee high security when safeguarding digital certificates and not having to resort to their revocation in case of any problem.
One of the safest ways to save and make use of a digital certificate, also used by Viafirma, is the centralized signature. In this way, the risk of having it installed in a physical device (which can be stolen or used by thirds with ease) is avoided.
The certificate is stored on a secure server (HSM) and to access it, you must have at least two authentication factors (robust authentication). In addition to the notable increase in security, mobility is also improved, since it allows the user to sign wherever they are, without having to always carry the same device with them.
Sometimes, it is necessary to lend the signature, be it a CEO of a company that does not have time to sign all the documentation that arrives to him or any person whose agency needs some permits to carry out his work. That is why there is the figure of the signature delegation, which helps not to endanger their integrity and prevent them from making undue or fraudulent use of it.
Thanks to the Viafirma solutions, the signature can be delegated maintaining the security levels through the establishment of policies of where, when and how it is allowed to use said certificate. In the event that said trusted person wishes to delegate to thirds, it is the user who must confirm that authorization.
In addition, all the activity carried out with the signature is recorded and audited by the system, with which any incident that may have occurred can be consulted later in the records.
In short, the revocation of the digital certificate is a necessary process for cases of theft or loss, which any certification authority can carry out. Fortunately, there are now several effective ways to protect this certificate through secure servers and take advantage of cloud capabilities.