ERR_CERT_REVOKED

What Does ERR_CERT_REVOKED Mean?

ERR_CERT_REVOKED indicates that the website's SSL certificate has been explicitly revoked by the Certificate Authority (CA) that issued it. Certificate revocation is a security mechanism that allows CAs to invalidate certificates before their natural expiration date when there is a reason to no longer trust them.

When a certificate is revoked, it is added to a Certificate Revocation List (CRL) or reported through the Online Certificate Status Protocol (OCSP). Browsers check these lists during the SSL/TLS handshake. If the certificate appears on the revocation list, the browser blocks the connection to protect the user from potentially compromised websites.

This is generally a more serious error than other SSL errors because it means a deliberate action was taken to invalidate the certificate. The website owner or the CA determined that the certificate should no longer be trusted, which could indicate a security incident, key compromise, or domain ownership dispute.

Common Causes

The primary cause is that the website owner or CA intentionally revoked the certificate. This happens when a certificate's private key is compromised or suspected of being compromised. If an attacker gains access to the private key, they could impersonate the website, so immediate revocation is essential. Website administrators should request revocation whenever they suspect their key has been exposed.

CAs may also revoke certificates due to policy violations, mis-issuance, or when the domain owner reports unauthorized certificate issuance. If a certificate was obtained fraudulently, the CA will revoke it upon discovery. Organizational changes like a company being sold, a domain transfer, or the CA ceasing operations can also lead to mass certificate revocations.

In some cases, the error may appear incorrectly due to stale OCSP responses cached in the browser or operating system, network issues preventing OCSP checks, or misconfigured OCSP stapling on the server. Certain antivirus programs and firewalls can also interfere with certificate revocation checking, producing false positive revocation errors.

Step-by-Step Fix

For website visitors: This error usually requires action from the website administrator, not the visitor. However, you can try clearing your browser's SSL state and cache, which may resolve false positives from stale OCSP responses. On Windows, open Internet Options > Content > Clear SSL State. Restart your browser and try again. If the error persists, the certificate is genuinely revoked.

Check if your antivirus or firewall is interfering with certificate revocation checks. Some security software intercepts HTTPS connections and may report false revocations. Try temporarily disabling SSL scanning in your security software. Also verify your internet connection is stable, as network issues can sometimes cause revocation check failures that are misreported.

For website administrators: If your certificate was revoked, you must obtain a new certificate. First, determine why it was revoked by contacting your CA. If the private key was compromised, generate a new key pair before requesting a new certificate. Install the new certificate, ensure OCSP stapling is properly configured on your server, and test with an SSL checker. For Nginx, enable OCSP stapling with 'ssl_stapling on; ssl_stapling_verify on;' directives.

Related SSL Errors