Certificate has been revoked

Your SSL certificate has been explicitly invalidated by the certificate authority that issued it. Browsers check revocation status and refuse to trust revoked certificates.

Symptom

• DomainDash marks the SSL check as Down with error code revoked
• Visitors see a browser warning like NET::ERR_CERT_REVOKED
• An OCSP query (openssl ocsp -issuer issuer.pem -cert cert.pem -url <ocsp-url>) returns revoked

What it means

Certificate revocation is the CA's "kill switch" for a certificate. Once revoked, browsers and other clients are expected to refuse the certificate even though the dates and signature are otherwise valid. The CA distributes revocation status via OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists). This is a deliberate invalidation, not an accidental misconfiguration — something happened that made the CA decide the certificate should no longer be trusted.

Common causes

• The private key was compromised. Either you or the CA revoked the certificate to prevent misuse.
• You requested revocation manually (e.g. via certbot revoke) but didn't replace it with a new certificate, or the replacement isn't being served.
• The CA revoked it for a policy violation — for example, mis-issuance, domain validation that turned out to be invalid, or a CA-side security incident.
• Your domain registration changed hands and the previous owner's certificate was revoked when WHOIS contact validation failed.
• A CA-wide revocation event — rare but it happens (e.g. when a CA distrusts a batch of certificates after a security incident).

How to fix

1. Confirm the revocation. Find your certificate's issuer and OCSP URL:

   openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -text | grep -E "OCSP|Issuer"

   Then query OCSP directly using openssl ocsp against that URL. The response will indicate good, revoked, or unknown.

2. Find out why. Check your account dashboard with the CA. Let's Encrypt revocations show up in your audit log; commercial CAs typically email the account holder. If your private key was compromised, treat this as a security incident before issuing anything new.

3. Generate a new key pair if the existing key was the reason for revocation. Don't reuse a compromised key.

   openssl genrsa -out new-key.pem 2048

4. Issue a fresh certificate. For Let's Encrypt with certbot, after rotating the key:

   sudo certbot certonly --nginx -d example.com -d www.example.com --force-renewal

5. Replace the cert on your server and reload the web server. Make sure the old, revoked cert file is removed or moved aside so it can't be served by mistake.

How to verify

1. Re-run the OCSP check from step 1 against the new certificate. The response should be good.
2. Open the site in an incognito window — padlock should appear cleanly.
3. Click "Check now" in DomainDash. Status should flip to Healthy.

Related

• Certificate expired — different reason for invalidity
• Certificate signature is invalid — different cryptographic failure
• SSL certificates — how DomainDash checks SSL