Certificate Revocation Best Practices
Overview
Design reliable CRL and OCSP infrastructure. Covers CRL publication scheduling, OCSP responder deployment, delta CRLs, stapling configuration, and monitoring.
Table of Contents
- Revocation Architecture Overview
- CRL Publication Design
- Delta CRL Strategy
- OCSP Responder Deployment
- OCSP Stapling Configuration
- High Availability Patterns
- Client Behavior and Soft-Fail
- Monitoring and Alerting
- Performance Optimization
- Migration from CRL to OCSP
Overview
Certificate revocation is PKI’s weakest link. CRLs grow unbounded, OCSP responders become single points of failure, and most clients default to soft-fail behavior that ignores revocation check failures entirely. The result: revoked certificates continue to be trusted, and the infrastructure meant to handle compromised keys provides a false sense of security.
This whitepaper addresses revocation infrastructure design from first principles. We cover CRL publication scheduling that balances freshness against size, OCSP responder deployment patterns that provide genuine high availability, and the practical reality of client behavior — what actually happens when revocation checks fail across browsers, operating systems, and application frameworks.
Whether you’re building revocation infrastructure from scratch or fixing an existing deployment that’s grown unreliable, this guide provides the architectural patterns and operational procedures you need.
What You’ll Learn
- CRL publication scheduling strategies that balance freshness, size, and CA load
- Delta CRL implementation to reduce bandwidth while maintaining revocation timeliness
- OCSP responder deployment architectures with load balancing and geographic distribution
- OCSP stapling configuration for Nginx, Apache, and IIS with verification procedures
- Client behavior analysis across major browsers, operating systems, and TLS libraries
- Monitoring patterns that detect revocation infrastructure failures before they impact security