Revocation Status Errors on a Valid SSL Certificate

A revocation status error can appear on an SSL Certificate that is valid and has not been revoked. The exact wording depends on the platform. Windows reports that the revocation function was unable to check revocation, while some server software reports a status of RevocationStatusUnknown.

In both cases the SSL Certificate itself is usually sound. The problem lies in how the revocation status was looked up, not in the SSL Certificate or your server.

The Meaning of a Revocation Status Error

A revocation status error is not the same as a revoked SSL Certificate. The two can look similar inside an application, yet they describe very different situations.

A revoked SSL Certificate has been deliberately invalidated by the Certificate Authority (CA) and has to be replaced. A revocation status error means the validating software could not obtain an answer about whether the SSL Certificate was revoked, so it reported the status as unresolved.

On Windows this often appears as the error code CRYPT_E_REVOCATION_OFFLINE, which states that the revocation server was offline. That wording points at the lookup, not at the SSL Certificate.

The difference matters because each situation calls for a different response. A revoked SSL Certificate needs to be replaced, while a status that could not be retrieved often needs nothing at all.

Confirming the SSL Certificate Is Not Revoked

Before changing anything, confirm the real revocation state of the SSL Certificate from an authoritative source rather than trusting a single application.

The Certificate Revocation List (CRL) published by the Certificate Authority (CA) is the authoritative record of which SSL Certificates have been revoked. If your SSL Certificate is not on that list, it has not been revoked, whatever an individual program reports.

Public Certificate Transparency search services also show the revocation state recorded by the Certificate Authority (CA), alongside the revocation data published by Google, Microsoft and Mozilla. When those sources agree that an SSL Certificate is not revoked, it is valid. Learn About Certificate Revocation 🔗

You can also check any SSL Certificate yourself at any time. View Our SSL Verification Tools 🔗

Reasons a Revocation Check Can Fail on a Valid SSL Certificate

Changes in how revocation is checked across the internet explain why a valid SSL Certificate can still produce a revocation status error.

The Online Certificate Status Protocol (OCSP) was once the main way software checked revocation in real time. It is now an optional mechanism, and the wider industry has moved toward the Certificate Revocation List (CRL) as the dependable source.

An Online Certificate Status Protocol (OCSP) responder can also be temporarily unable to return a status for a particular SSL Certificate. When that happens, the SSL Certificate is still valid, but a real time lookup against the responder will not succeed.

Modern web browsers no longer depend on the responder named inside the SSL Certificate. They use revocation data that Google, Microsoft and Mozilla collect and deliver directly to the browser.

This is why a website loads normally in a browser even when a separate program reports a revocation status error. Learn About How Revocation Checking Is Changing 🔗

Software That Still Reports the Error

Software that performs traditional revocation checking behaves differently from a browser, and that difference is behind most of these reports.

Windows service validation, Java-based applications and other server software use the revocation pointer stored inside the SSL Certificate, and they contact that pointer directly. They do not use the revocation data that browsers receive from Google, Microsoft and Mozilla.

When the only revocation pointer in an SSL Certificate is an Online Certificate Status Protocol (OCSP) address, and that responder cannot return a status, the software has nothing else to consult. A program set to treat an unavailable response as a hard failure then reports the status as unresolved.

The validating software still builds the trust chain correctly during this process, using the Intermediate Certificate to link the SSL Certificate to its root. A revocation lookup that cannot complete does not mean the chain or the SSL Certificate is faulty. Learn About Intermediate Certificates 🔗

Steps to Resolve the Error

In most cases a revocation status error on a valid SSL Certificate needs no action on the SSL Certificate itself.

The SSL Certificate does not need to be reissued because of a revocation status error. A reissue produces a replacement SSL Certificate, but it does not change how revocation lookups behave, so it does not resolve this condition. Reissues are available at no cost within your license period. Learn About Reissuing Your SSL Certificate 🔗

When the cause is a responder that is temporarily unable to return a status, the condition usually clears on its own once the revocation data refreshes. The SSL Certificate continues to protect your website throughout, because the encryption and the trust chain are unaffected.

How your own software treats an unavailable revocation response is controlled by its revocation checking settings, which is a decision to make in line with your own security requirements. This page does not recommend disabling revocation checking.

You can review your order and download your SSL Certificate at any time through the Trustico® tracking system, using your Certificate Authority (CA) Reference to sign in. Learn About The Tracking System 🔗

A revocation status error reads like a serious fault, but on a valid SSL Certificate it is usually a lookup problem rather than a trust problem. Checking the Certificate Revocation List (CRL) is the quickest way to tell the two apart.

More technical answers are available for common SSL Certificate questions. View Our Technical FAQ 🔗