Certificate Protocols

Certificate Transparency requires all publicly-trusted certificates to be logged in append-only public logs. Here's how CT works, what SCTs are, and how to monitor CT logs for unauthorized certificates issued for your domains.

CMP (RFC 4210/9483) is the most comprehensive certificate management protocol, handling enrollment, renewal, revocation, key update, and cross-certification. Here's how it works, where it's used, and why it's complex but powerful.

A CRL is a signed list of revoked certificate serial numbers published by a CA. Here's how CRLs work, why they don't scale, and why they're still required in enterprise PKI despite their limitations.

EST (RFC 7030) is the modern replacement for SCEP, using HTTPS and TLS client authentication for secure certificate enrollment. Here's how it works, what it improves over SCEP, and where to use it.

OCSP lets clients check whether a certificate has been revoked in real-time by querying the CA's responder. Here's how it works, why browsers soft-fail, and why OCSP stapling is the only practical deployment.

SCEP enables network devices and endpoints to request certificates from a CA using simple HTTP operations. Here's how it works, why it's still everywhere despite being outdated, and where it creates security gaps.