The digital certificate is an element that is not exempt from being lost or stolen through a security breach. That is why it is necessary to have a way to revoke it, so that no one can supplant our identity. This is the main purpose of certificate revocation. Next, we will go in depth about whata revoked certificate is and how the revocation process works.
The digital certificate is the tool that allows us to “identify ourselves on the Internet and exchange information with other people and organizations with the guarantee that only you and your interlocutor can access it”, according to the FNMT (Fábrica Nacional de Moneda y Timbre).
About its usefulness, we have talked about it in this blog on numerous occasions. With it we can file and settle taxes, send appeals and claims, consult traffic fines or the municipal census and a long list of actions in the local, regional and state administrations. Similarly, all kinds of operations can be carried out in the private sphere: digitally identify yourself to banks, buy and sell, contract services, etc.
Taking all this into account, the moment we suspect that the digital certificate may have been copied, that a third party has had access to our private keyor simply that we have lost it and are unable to find it, the most sensible thing to do is to revoke it and then obtain a new one.
What does it mean to have a certificate revoked and how is it done?
As the FNMT website explains, a revoked certificate is one that has “cancelled its validity before the expiration date stated on it”. This revocation can be requested at any time, especially when “the holder believes that his private keys are known by others”.
The revocation must be made before the same organization that generated it. The most widespread in Spain are the electronic ID and the FNMT, but there are many others:
- ID: in case of losing the secret PIN, suspecting that someone else knows it or losing the ID itself, the National Police informs that we are obliged to go to a ID Issuing Office to report it and revoke the certificate.
- FNMT: the revocation of certificates issued by the Fábrica Nacional de Moneda y Timbre can be done online, by telephone or in person at some of the registry offices of the Tax Agency’s delegations and administrations or at the National Securities Market Commission (Comisión Nacional del Mercado de Valores).
- Digital certificates issued by other PSC (Qualified Service Providers, formerly Certification Authorities). To revoke these certificates, it is necessary to go in person to the PSC or Registration Authorities of that organization. In most of these, there is also the possibility of doing it telematically, using a secret revocation code that is provided to the user along with the certificate itself. On the web page of each PSC you can see in detail the revocation procedure in each one of them.
Once such revocation has become effective, any digital signature made with the private key associated with the certificate after this date will not be valid.
How to know the validity of a certificate?
Certification Authorities (CAs) are the organizations that have the capacity to issue and revoke certificates, although after the entry into force of the eIDAS regulation, they are known as Qualified Service Providers (QSPs) in the European Union. These authorities are also obliged to publish the lists of revoked certificates (CLR).
CLR is one of the mechanisms to check if a certificate has been revoked before its expiration date, but it is not the only method. OCSP is another validation service, also compatible with Viafirma’s solutions.
OCSP stands for Online Certificate Status Protocol, that is, Online Certificate Status Protocol. This protocol is registered in RFC 6960 and was created with the purpose of solving certain inconveniences that the use of lists in public PKI had.
The OCSP verification process is very simple. The user sends a certificate verification request through his client and the server sends back a signed response about its current status.
The main advantage of OCSP over CLRs is that it provides more up-to-date and recent certificate revocation information. In addition, there is no need for the service facilitators to receive and process the lists of revoked certificates. However, OCSP requires a permanent Internet connection for its use, while CLRs can be stored temporarily for local queries.
How to avoid revocation of your digital certificate?
As they say, prevention is better than cure. Therefore, it is best to use tools that guarantee high security when it comes to safeguarding digital certificates and not having to revoke them in the event of a problem.
One of the safest ways to save and use a digital certificate, also used by Viafirma, is the centralized signature. This way, the risk of having it installed in a physical device (which can be easily stolen or used by third parties) is avoided.
The certificate is stored on a secure server (HSM) and to access it, at least two-factor authentication (strong authentication) is required. In addition to the significant increase in security, mobility is also improved, since it allows the user to sign anywhere, without the need to always carry the same device with him.
Sometimes, it is necessary to lend the signature, whether it is a manager of a company that does not have time to sign all the documentation that arrives or any person whose agency needs some permissions to perform their work. For this there is the figure of the delegation of signature, which helps not to jeopardize its integrity and to avoid that they make an improper or fraudulent use of it.
Thanks to Viafirma’s solutions such as Viafirma Fortress, the signature can be delegated maintaining the security levelsthrough the establishment of policies to establish how, when and when it will be allowed to use the delegated certificate. In the case that the trusted person wants to delegate to a third party, it is the user who must confirm this authorization. It should be borne in mind that the delegation mechanism must have legal coverage in the territory where it is to be applied.
In addition, all activity carried out with the firm is recorded and audited by the system, and any incidents that have occurred can be consulted later in the records.
In short, acting to have our certificate revoked is a necessary process for cases of theft or loss that any certification authority can carry out. Fortunately, there are currently several effective ways to protect the certificate through secure servers taking advantage of the capabilities offered by the cloud.